DNS tunnelling is so often a technique used to maliciously exfiltrate data
DNS tunnelling is so often a technique used to maliciously exfiltrate data

The latest Infoblox Security Assessment Report reveals 40 per cent of the files it tested showed evidence of DNS tunnelling. That's nearly half of the enterprise networks that were tested by Infoblox returning evidence of a threat that can mean active malware or ongoing data exfiltration within the network.

For more than a decade now the bad guys have been looking at ways of using DNS to exfiltrate data. Port 53 manipulation, also known as DNS Tunneling, allows data to be directed through this established path for malicious purposes. Perhaps this shouldn't be surprising, given the inherently trusted nature of DNS.

While there are some 'quasi-legitimate' uses of DNS tunnelling, many will be malicious. The nature of these attacks can vary, depending if the perpetrator is an off the shelf scripter or nation state actor. Project Sauron, an example at the nation state end of the spectrum, used DNS tunneling to exfiltrate data.

Rod Rasmussen, vice president of cyber-security at Infoblox, says that "the widespread evidence of DNS tunnelling uncovered by the report shows cyber-criminals at all levels are fully aware of the opportunity." Rasmussen also points out that when suspicious DNS activity is detected, security teams can "use the information to quickly identify and remediate infected devices."

Luther Martin, Distinguished Technologist at HPE Security, is in agreement that DNS tunneling is used by lots of hackers. "It's actually a fairly robust way to sneak data past a firewall" Martin told SCMagazineUK.com "it's easy to get data rates of over 100 MB/s with it." Indeed, he's even seen DNS tunneling as a service offerings out there.

Interestingly, according to Martin, DNS tunneling for the egress of lots of data (think big breach) is unlikely as firewalls are often surprisingly bad at egress filtering. "The main use", Martin concludes, "might actually be to bypass firewalls and get WiFi access without paying for it."

Luke Potter, Security Practice Director for SureCloud, revealed during a conversation with SC that DNS tunneling is even "an area that our testing team are actively using in client engagements" and that "we often find that mitigation for DNS tunnelling has not been considered or implemented."

And Marc Laliberte, Information Security Threat Analyst at WatchGuard Technologies has seen tunneling "prominently used in the Multigrane POS malware which made its rounds earlier this year." What's more, he told us he expects to "continue to see DNS tunnelling used for data exfiltration and C2 connections until organisations better prepare themselves to stop it."

So how do they do that then?

Jonathan Couch, VP of Strategy at ThreatQuotient told SC that despite something like 90 per cent of malware utilising DNS for command and control as well as exfiltration, organisations which should know this continue not manage their own DNS internally and still let UDP and TCP port 53 flow freely through their firewalls. "And those that do implement internal DNS" Couch adds "either don't monitor it for tunneling or don't enforce use of it by blocking UDP/TCP 53 at the firewalls."

The why is interesting, and reflects a common problem in the world of security teams. They don't plug the hole because it takes resources to implement and maintain internal DNS. "These are resources which the network operations folks need to use for other essential network services or security infrastructure" Couch concludes. That, and the fact that DNS is so core to everything that they don't want to mess it up!

Meanwhile, Luke Potter admits it's not straightforward to prevent this technique of tunnelling data, but provided SC Magazine with this summary:

"To block tunnelling across the network, ensure the egress firewall has intrusion prevention and deep packet inspection enabled, as well as strict outbound port and protocol whitelisting. Additionally, an internal proxy server should be in use with SSL/TLS bumping to intercept encrypted traffic."