DNS Tunneling (Ab)Uses

Share with your network!

October 07, 2014 Tom Landesman

Abuse of global DNS infrastructure for the purpose of distributed denial-of-service (DDoS) attacks on various Internet services has been a hot topic in the news for some time now. But there is another unintended use of DNS that can be exploited for a wide range of purposes: DNS tunneling. These purposes can range from benign to dubious to outright malicious. For example, some botnets such as Feederbot and Morto use DNS requests and TXT record responses to communicate with command and control servers. DNS tunneling also provides a convenient avenue for bypassing a network's protocol and application-level restrictions. Researcher's have shown that it could be possible to exfiltrate the results of SQL injection via DNS tunneling− sneaking past monitoring to subvert data leak prevention measures and avoid triggering alarms.

VPN and popular tunneling services such as Iodine have both good and bad uses. For example, these can be used to exfiltrate sensitive information from an internal network, which has no DNS protection. But political activists can use them to avoid state-level content censorship. Wi-Fi hotspots often impose paywalls to support the service, which a user can often circumvent using DNS tunneling, accessing the Internet for free. Even some mobile operators are guilty of forcing their customers’ traffic to tunnel over DNS to avoid paying termination fees. Various security services and anti-virus programs use DNS to look up signatures – a benign use of the DNS infrastructure as a distributed database rather than a name resolution service. [tweet_box]DNS tunneling provides an avenue to bypass a network's protocol and application-level restrictions.[/tweet_box] These unconventional uses of DNS may have a noticeable impact on the infrastructure. While investigating the traffic at a major ISP in Asia, we saw an average of 0.5 queries per IP per minute. A single user running a DNS tunneling package, like Iodine would generate 17056 queries in that same window, 3273 times the norm. If one in a thousand users were tunneling over DNS, the traffic from this 0.1 percent would amount to over 13.4 million extra queries, increasing the total volume of queries more than 3.27 times. These uses and abuses of DNS are commonplace today and going to grow in the future. Without technology to control DNS traffic and protect networks, network owners could suffer harm and the infrastructure could be put at risk. For a deeper dive into DNS tunneling, please see our new DNS tunneling whitepaper.

Mobile Messaging Security

Email Messaging Security

Threat Insight

The most complete, comprehensive and accurate Mobile Messaging defense solution

Mobile Operators

Secure Your Mobile Messaging Environment

Protect Your Traffic with a Cloud Service

Monetize Traffic by Identifying and Preventing Grey Route Abuse

Secure Your RCS and Future Mobile Messaging Traffic

Secure Your Email to Mobile Messaging

Internet Service Providers (ISPs)

Secure Your Email Environment On-Premises

Secure Your Email Environment Cloud Version

Provide Real-time (best-in-class) Threat Insight through Scanning and Analysis

Provide a Better Email Experience to Your Customers

Security Services

Security Operation Centers (SOC) Services

About

Products

Resources

Connect

Support