“Why Middle Eastern Firms Leveraging DNS for Data Transfer May Soon Attract Cybercriminals”
Alert: Attempt to access property “post_parent” on null in /home/defensea/english.defensearabia.com/wp-includes/link-template.php on line 479
Alert: Attempt to access property “post_name” on null in /home/defensea/english.defensearabia.com/wp-includes/link-template.php on line 517
Deprecated: rtrim(): Passing null to parameter #1 ($string) of type string is deprecated in /home/defensea/english.defensearabia.com/wp-includes/formatting.php on line 2829
Alert: Attempt to access property “ID” on null in /home/defensea/english.defensearabia.com/wp-includes/link-template.php on line 534
Alert: Attempt to access property “post_excerpt” on null in /home/defensea/english.defensearabia.com/wp-content/themes/mh-magazine/includes/core/Custom-Functions.php on line 281
Alert: Trying to access array offset on value of type bool in /home/defensea/english.defensearabia.com/wp-content/themes/mh-magazine/includes/core/Custom-Functions.php on line 283
Deprecated: ltrim(): Passing null to parameter #1 ($string) of type string is deprecated in /home/defensea/english.defensearabia.com/wp-includes/formatting.php on line 4486
Alert: Attempt to access property “post_title” on null in /home/defensea/english.defensearabia.com/wp-content/themes/mh-magazine/includes/core/Custom-Functions.php on line 283
Malicious DNS tunneling poses a significant threat in cybersecurity, and organizations in the Middle East must remain vigilant. This technique exploits the Domain Name System (DNS) protocol to exfiltrate sensitive corporate or personal data from a network while facilitating malware command and control operations.
Indeed, a recent Infoblox Security Assessment Report indicated that two out of five enterprise networks showed signs of DNS tunneling in Q2 of 2016.
However, it’s essential to recognize that not everything is as it appears. A detailed examination of suspected DNS tunneling traffic often uncovers a degree of anomalous activity that seems harmful but is, in reality, being generated intentionally by authorized users and services within enterprise networks, generally not malicious in nature.
Exploiting the DNS protocol
DNS queries usually consist of small information packets, and their primary function is to perform name-resolution services without carrying additional data. While recent advancements, including authentication mechanisms like DNSSEC and DKIM, have influenced this area, their principal goal remains the same—delivering information regarding a domain name without transporting unrelated data.
Nonetheless, there exists enough flexibility within the DNS protocol to inject unrelated information into a DNS query, routing it into or out of a targeted network.
DNS signaling, the simplest form of this approach, typically utilizes a cryptographic hash function to encode information into query strings or response records. Performance, however, is often slow due to the limited size of DNS packets, necessitating a large quantity even for minimal data transmission.
This concept expands through DNS tunneling, which, by employing surprisingly simple techniques, encodes additional protocols such as HTTP, FTP, or SMTP over a DNS session.
For simplicity’s sake, both methods can be categorized under the umbrella of DNS tunneling.
“Legitimate” DNS tunneling
Within an organization, the use of DNS for valid communications may inadvertently trigger false alarms with network and security teams actively monitoring for nefarious DNS tunneling. Most companies engaging in this unauthorized use of DNS typically do not disclose it, posing a challenge for security teams striving to detect malfeasance within the protocol. After all, genuine and malicious usage can appear almost indistinguishable at first sight.
Of course, users of DNS in this manner often take creative shortcuts rather than intentionally abusing their organization’s networks.
This trend began approximately two decades ago, when paywalls in specific hotels and airports restricted direct access to the internet via conventional protocols like HTTP. Yet, DNS remained accessible, and tools like NSTX, Dnscat, and iodine were introduced, allowing users to tunnel web sessions and emails through their DNS connections. Over time, these tools evolved to offer complete VPN services over DNS, with numerous options available freely on GitHub and other platforms.
Not a prudent use of the protocol
Besides triggering false alarms and raising concerns about service theft, DNS tunneling—whether for legitimate communication or not—is an imprudent exploitation of an organization’s DNS protocol. In fact, utilizing DNS to transfer data misuses the protocol to deliberately bypass restrictions set by the network administrator.
This could involve circumventing workplace productivity filters designed to block access to Facebook or personal email services, among other things, potentially posing a broader risk to the entire organization.
However, it appears that numerous commercial products leverage DNS signaling to provide data transfer services.
For instance, simultaneous with the rising popularity of DNS tunneling, some manufacturers of customer-premises equipment (CPE) faced challenges in sending updates to their consumer-grade Wi-Fi routers or cable and DSL modems across residential and SMB networks.
Inconsistencies with various types of traffic permitted through certain ISPs complicated proper connections through NAT-based routers. Consequently, DNS was viewed as a viable solution, leading some CPE companies to utilize the protocol for software updates and maintenance tasks with their installed users.
Today, most enterprise-level networks manage these tasks using appropriate communication and authentication methods. However, internal departments and branch offices may utilize more cost-effective CPE equipment, causing these signals to be transmitted over DNS—even within an enterprise network.
Elsewhere, the necessity for nearly continuous interaction with customers has prompted some antivirus (AV) vendors to establish file hash identification routines via DNS. Although this method offers a fast and effective means of determining whether a suspicious file is infected, it can inadvertently expose a network to malicious communications.
Bypassing controls
Essentially, the key issue with DNS tunneling techniques is that they bypass controls established by a network team, leading to security, compliance, and operational concerns while simultaneously overwhelming the DNS protocol and anomaly detection systems set up to examine DNS traffic.
Companies are increasingly striving to safeguard their DNS as its significance becomes more apparent, and are realizing how much extraneous DNS traffic exists on their networks.
While it may be overly optimistic to expect the practice to cease entirely, efforts could be made to encourage IT vendors and manufacturers to rely less on it, ultimately simplifying the task of securing this valuable and vulnerable protocol.
