What Is DNS Tunneling?

Domain name system, or DNS, is the protocol that translates human-friendly URLs, such as paloaltonetworks.com, into machine-friendly IP addresses, such as 199.167.52.137. Cybercriminals know that DNS is widely used and trusted. Furthermore, because DNS is not intended for data transfer, many organizations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunneling is one such attack.

How DNS Tunneling Works

DNS tunneling exploits the DNS protocol to tunnel malware and other data through a client-server model.

1. The attacker registers a domain, such as badsite.com. The domain’s name server points to the attacker’s server, where a tunneling malware program is installed.
2. The attacker infects a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver. The DNS resolver is a server that relays requests for IP addresses to root and top-level domain servers.
3. The DNS resolver routes the query to the attacker’s command-and-control server, where the tunneling program is installed. A connection is now established between the victim and the attacker through the DNS resolver. This tunnel can be used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.

DNS tunneling has been around for almost 20 years. Both the Morto and Feederbot malware have been used for DNS tunneling. Recent tunneling attacks include those from the threat group DarkHydrus, which targeted government entities in the Middle East in 2018, and OilRig, which has been operating since 2016 and is still active.

How do you stop attackers from using DNS against you? Read our white paper to learn the steps you can take to stop DNS attacks.