DNS tunnelling isn't necessarily malicious, but even benign activity causes problems for cybersecurity teams. Malicious DNS tunnelling describes the use of the Domain Name System (DNS) protocol to exfiltrate information from a network and to enable the transmission of malware Command and Control (C&C) communications through the network perimeter.

It's not uncommon: our Security Assessment Report in Q2 of this year showed that four in ten enterprise networks displayed evidence of DNS tunnelling. But all is not as it seems. Some traffic which appears to be unauthorised or malicious DNS tunnelling is actually sent intentionally by legitimate users and services, and while it is appears authentic and appropriate, it's not exactly safe.

DNS PROTOCOL AND KNOWN EXPLOITS
Because DNS translates domain names into IP addresses, the queries are tiny data packets designed to transmit only the data required to complete the name resolution process. But the DNS protocol has enough flexibility so that other data can be inserted into a packet and transmitted in, or out, of a network.

The most basic form of this technique is DNS signalling, which often uses a cryptographic hash function to encode information into query strings or response records. The downside of this is that performance is usually hampered by the restrictive size of each packet, meaning that a high volume of packets is required even for a small amount of data, making progress slow.

DNS tunnelling takes this a step further with some simple techniques, for example by using DNS queries to encode other protocols including http, ftp or SMTP over a DNS session. Given their similarity, both techniques can be considered as DNS tunnelling.

IT WORKS, BUT IT ISN'T SMART
Using DNS for legitimate data transfers can cause network and security teams to believe they've uncovered malicious DNS tunnelling, as both uses look very similar.

As well as false positives, theft-of-service concerns and making it harder to spot real malicious activity, DNS tunnelling isn't a smart use of DNS protocol, even if it's for legitimate purposes. Using DNS in this way is a workaround to get past network controls established by an operator, and it constitutes a misuse of the network.

In practice, DNS tunnelling could be employed to proxy past filters designed to block social media or personal email use, but more serious activity could threaten the whole network.

Many commercial products use DNS signalling to provide data transfer services. Around the same time as DNS tunnelling was rising in prominence, some manufacturers of customer presence equipment (CPE) were having problems sending updates to their consumer-grade Wi-Fi routers or modems, across consumer and SMB networks.

With some inconsistency on the types of traffic allowed through certain ISPs and the difficulty in establishing proper connections through NAT-based routers, DNS was considered a viable alternative. It wasn't long before some CPE companies were using the protocol to perform software updates and other maintenance tasks.

Most enterprise-grade networks now handle this using proper communications and authentication channels, but internal departments and branch offices can sometimes have cheaper CPE equipment which may still be using DNS.

DON'T ENCOURAGE WORKAROUNDS
DNS tunnelling circumvents the controls put in place by the network team. This then opens up security, compliance and operational concerns and runs the risk of overloading the DNS protocol and anomaly detection systems used to examine DNS traffic.

Organisations are beginning to understand the strategic importance of DNS and are keen to protect it by discovering how much extraneous DNS traffic is running on their network. Until this practice ends completely, it's important that every precaution is taken to make visible and protect this valuable yet vulnerable protocol. NC