How can enterprises defend against malware using DNS tunnels?

Malware is increasingly using DNS tunnels to aid in data exfiltration. Expert Nick Lewis explains how the attacks work and how best to defend against them.

Nick Lewis

Malware creators are using DNS requests for data exfiltration. How do these attacks work, and what are the best...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

ways to defend against them?

Advanced attackers have been using DNS tunnels, ICMP tunnels, among others, for many years. Due to their successes, many other attackers have also adopted the technique, leading to its rise in popularity. DNS has also typically been allowed to connect outbound to the Internet without filtering, allowing attackers to use it to tunnel data out of compromised networks.

DNS tunnels work on an already compromised computer by encoding small amounts of data in a malicious DNS name. The compromised computer can perform a DNS lookup on the malicious domain name and/or use a DNS server controlled by the attacker. When the DNS requests from the compromised computer get to the intended recipient DNS server or device, the attacker can either log that data for later use and/or send a small amount of data back to the compromised computer in the DNS response. The DNS response could be a command for the compromised computer to execute. This exchange can tunnel a small amount of data out of a network and set up indirect communications between two computers on the Internet.

Defending against attacks using DNS tunnels first requires detecting the anomalous DNS traffic. This can be done by monitoring DNS logs or by monitoring the network directly using a tool. The initial DNS server could also be configured to log DNS lookup requests, and those logs could be monitored looking for, for example, a large number of DNS requests from one endpoint or a large number of DNS requests that needed to be forwarded. This same analysis could also be performed by monitoring network traffic.

Organizations can take care of the job in house with DNS security tools or outsource to DNS providers -- such as Neustar Inc., OpenDNS and Percipient Networks -- that can perform analysis on enterprise DNS traffic and can potentially block or blackhole the DNS lookup being sent to the malicious DNS server.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about DNS attack prevention

Find out why incident response planning is crucial to prevent DNS attacks

This was last published in October 2015

FBI, CISA warn of impending ransomware attacks on hospitals

Why securing the DNS layer is crucial to fight cyber crime

What are the risks of third-party VPN services?

DNS attack

Next Steps

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

FBI, CISA warn of impending ransomware attacks on hospitals

Why securing the DNS layer is crucial to fight cyber crime

What are the risks of third-party VPN services?

DNS attack

Related Q&A from Nick Lewis

What are port scan attacks and how can they be prevented?

Explore benefits and challenges of cloud penetration testing

What are the best criteria to use to evaluate cloud service providers?