DNS tunneling remains a sophisticated method of bypassing security measures, enabling malicious actors to exfiltrate data or establish command-and-control channels. ThreatSTOP’s Security, Intelligence, and Research team has made significant advancements in detecting and neutralizing DNS tunneling activities.

Our enhanced detection capability, aptly named “DNS Tunneling - Domains,” has been significantly improved and made more adaptable. This update includes an impressive increase in detection coverage, surpassing 500% compared to our previous methods. Not only have we broadened our ability to identify malicious DNS activity across notorious TLDs, but we have also expanded our focus to include DNS tunnels utilizing TXT records to encrypt and transmit traffic. This technique is commonly employed to circumvent conventional security measures.

What Is DNS Tunneling, and Why Is It Dangerous?

DNS tunneling is a technique that utilizes the Domain Name System (DNS) protocol to transmit data via DNS queries and responses, thereby establishing a clandestine communication channel. While DNS is primarily intended to facilitate the translation of human-readable domain names into IP addresses, its widespread and frequently unmonitored nature renders it an appealing conduit for malicious activities.

How Does DNS Tunneling Work?

In a typical DNS tunneling scenario, an attacker gains control over a domain and establishes an authoritative DNS server equipped with tunneling malware. Subsequently, the attacker infects a target machine within a network, which transmits DNS queries containing encoded data to the attacker’s server. These queries bypass the organization’s firewall, as DNS traffic is typically permitted. The attacker’s server decodes the data, establishing a bidirectional communication channel capable of being utilized for various malicious purposes. 

How Do Adversaries Leverage DNS Tunneling?

Malicious actors utilize DNS tunneling for several nefarious purposes:

  • Data Exfiltration: Malicious actors exploit compromised systems by embedding sensitive information within Domain Name System (DNS) queries, enabling data to evade security measures undetected.
  • Command and Control (C2) Communication: Attackers establish persistent communication channels with malware-infected devices, transmitting commands and receiving data without drawing attention.
  • Network Scanning and Victim Tracking: DNS tunneling facilitates the mapping of network infrastructures and the monitoring of target interactions with malicious content, aiding in the refinement of attack strategies. 

Notable Threat Actors and Tools Utilizing DNS Tunneling

Several advanced persistent threat (APT) groups and malware families have been documented employing DNS tunneling 

  • OilRig (APT34): A threat actor operating in the Middle East, known for creating tools with custom DNS tunneling protocols for C2 communications. 
  • xHunt Campaign: Targeted government organizations in the Middle East using backdoors that communicated with C2 servers via DNS tunneling. 
  • SUNBURST Backdoor: Part of the SolarWinds supply chain attack, utilized DNS tunneling to evade detection and encode system information within DNS requests. 

Unauthorized VPNs and DNS Tunneling

Beyond its overtly malicious applications, DNS tunneling is occasionally utilized by unauthorized VPN services to evade network restrictions and surveillance. By directing traffic through DNS, these services can circumvent firewalls and content filters, potentially exposing networks to unmonitored and unsecured external communications. 

Proactive Protections for Every Environment

Our enhanced “DNS Tunneling - Domains” protection is seamlessly integrated into our Protective DNS product offerings:

  • DNS Defense Cloud: Provides cloud-based DNS protection to intercept and neutralize malicious queries before they reach your network.
  • DNS Defense: Delivers proactive protections directly on your DNS servers, leveraging ThreatSTOP intelligence to detect and mitigate DNS tunneling at the network level.

Dynamic Updates for Real-Time Security

One of the key innovations in our updated detection is its dynamic nature. Unlike static protections that necessitate manual updates, our “DNS Tunneling - Domains” detection continuously adapts to the latest threat intelligence, ensuring you are always protected against emerging DNS tunneling tactics.

Why Choose ThreatSTOP?

The security measures we provide are meticulously crafted by the ThreatSTOP Security, Intelligence, and Research team, ensuring that our customers remain one step ahead of even the most sophisticated cyber threats. Our solutions are designed to proactively protect your organization’s digital assets, including blocking command-and-control traffic, mitigating data exfiltration risks, and preventing phishing campaigns.

At ThreatSTOP, we are committed to empowering businesses to connect with their customers while simultaneously safeguarding them from potential risks.  To ensure the proper functioning of detection functions, we strongly recommend implementing multiple of our Targets for enhanced security measures.

  • Implement network controls (router, firewall) to block outbound DNS requests to any domain other than the configured DNS server protected by ThreatSTOP’s Protective DNS Solution. This restriction should apply whether the server is located on-premises or in the cloud.
  • Enable Targets that block DNS inspection bypassing technologies, such as DNS-over-HTTP functions in some browsers or Apple Private Relay.

Take the Next Step

For those interested in joining the ThreatSTOP family or learning more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a demo today!