How can enterprises defend against malware using DNS tunnels?

Malware is increasingly using DNS tunnels to aid in data exfiltration. Expert Nick Lewis explains how the attacks work and how best to defend against them.

Nick Lewis

Malware creators are using DNS requests for data exfiltration. How do these attacks work, and what are the best...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

ways to defend against them?

Advanced attackers have been using DNS tunnels, ICMP tunnels, among others, for many years. Due to their successes, many other attackers have also adopted the technique, leading to its rise in popularity. DNS has also typically been allowed to connect outbound to the Internet without filtering, allowing attackers to use it to tunnel data out of compromised networks.

DNS tunnels work on an already compromised computer by encoding small amounts of data in a malicious DNS name. The compromised computer can perform a DNS lookup on the malicious domain name and/or use a DNS server controlled by the attacker. When the DNS requests from the compromised computer get to the intended recipient DNS server or device, the attacker can either log that data for later use and/or send a small amount of data back to the compromised computer in the DNS response. The DNS response could be a command for the compromised computer to execute. This exchange can tunnel a small amount of data out of a network and set up indirect communications between two computers on the Internet.

Defending against attacks using DNS tunnels first requires detecting the anomalous DNS traffic. This can be done by monitoring DNS logs or by monitoring the network directly using a tool. The initial DNS server could also be configured to log DNS lookup requests, and those logs could be monitored looking for, for example, a large number of DNS requests from one endpoint or a large number of DNS requests that needed to be forwarded. This same analysis could also be performed by monitoring network traffic.

Organizations can take care of the job in house with DNS security tools or outsource to DNS providers -- such as Neustar Inc., OpenDNS and Percipient Networks -- that can perform analysis on enterprise DNS traffic and can potentially block or blackhole the DNS lookup being sent to the malicious DNS server.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about DNS attack prevention

Find out why incident response planning is crucial to prevent DNS attacks

This was last published in October 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Nick Lewis asks:

Does your organization monitor for DNS tunnels and other DNS threats?

Join the Discussion

Related Q&A from Nick Lewis

What are the benefits and challenges of cloud penetration testing?

Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading

What are the best criteria to use to evaluate cloud service providers?

Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading

What is the best way to write a cloud security policy?

Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading

SearchCloudSecurity

How enterprise cloud VPN protects complex IT environments

Do you know how enterprise cloud VPN differs from a traditional VPN? Explore how cloud VPN works and whether it's the right ...

CASB, CSPM, CWPP emerge as future of cloud security

Complexity has introduced new needs and challenges when securing cloud environments. Find out how CASB, CSPM and CWPP tools have ...

Prevent cloud account hijacking with 3 key strategies

The ability to identify the various methods of cloud account hijacking is key to prevention. Explore three ways to limit ...

SearchNetworking

Juniper's 128 acquisition needed to improve SD-WAN

Juniper Networks plans to 'enhance' its Contrail SD-WAN through the acquisition of 128 Technology. 128 has a more advanced SD-WAN...

The basics of zero-trust network access explained

Some experts believe VPNs have struggled to adapt to an increasingly cloud-based, internet-dependent world. Enter zero-trust ...

Enterprise 5G: Guide to planning, architecture and benefits

An enterprise 5G deployment requires extensive planning. Prepare for advances in wireless technology using this 5G guide that ...

SearchCIO

Is your company's IT governance strategy cloud ready?

As companies prepare to migrate to the cloud, they need to review their IT governance strategy before making any decisions to ...

Government action on big tech monopoly power moving quickly

Government antitrust actions are building against tech giants Amazon, Apple, Facebook and Google. They could lead to tighter ...

Quantum computing challenges and opportunities

While quantum computing is still under development, IT leaders should know how they can use it today to stay on the competitive ...

SearchEnterpriseDesktop

A complete guide to troubleshooting Windows Hello

Windows Hello has several common issues that administrators may need to troubleshoot. Find out what those issues are here and ...

Comparing Jamf vs. Fleetsmith for macOS management

Like any decision around purchasing a business technology, the Jamf vs. Fleetsmith debate for Apple device management comes down ...

Mac users key in defending against Apple T2 chip flaw

IT pros should lean on Mac users to protect corporate networks against exploiters of the Apple T2 chip vulnerability. Hard drive ...

SearchCloudComputing

Compare Google Cloud Deployment Manager vs. Terraform on GCP

Determine whether to opt for cloud native Deployment Manager or third-party Terraform for infrastructure as code on Google Cloud.

Explore the tools for disaster recovery on AWS, Azure and GCP

Utilize cloud infrastructure for your disaster recovery plan. Learn about the tools and services from AWS, Google and Microsoft ...

Cloud performance testing is necessary for app migration

So, you're moving your app to the cloud. Is it ready for that? Here's how to test it to see if it will meet performance goals ...

ComputerWeekly.com

Iron Mountain scales global connectivity collaboration with Telia Carrier

Enhanced global network in APAC, EMEA and North America aims to deliver increased high-performance network diversity for ...

ANZ Bank moves digital banking services to container platform

Australia’s largest bank now runs 30% of its internet banking services on Red Hat OpenShift in a move that has energised ...

NSA’s top CVE list a timely reminder to patch

Many of the CVEs detailed on the NSA’s top 25 chart are golden oldies

Join the conversation

3 comments

Send me notifications when other members comment.

Oldest

[-]

searchsecurity - 6 Oct 2015 8:44 AM

Does your organization monitor for DNS tunnels and other DNS threats?

bobcrusader - 3 Mar 2016 5:38 AM

I've seen plenty of bots communicate on port 53, because it is always open. I sell and train people on how to use WatchGuard UTMs. We encourage the use of the DNS Proxy to detect anomalies in the protocol, as well as a rule to restrict what DNS servers are allowed.

bobcrusader - 3 Mar 2016 5:33 AM

There is also such a thing as a DNS Proxy - it makes sure that what is in a DNS Question and Response are within certain limits and comply with the DNS protocol. WatchGuard UTMs have done it for years.

Why securing the DNS layer is crucial to fight cyber crime

What are the risks of third-party VPN services?

DNS attack

Security Think Tank: How to tool up to catch evasive malware comms

Please create a username to comment.