“How Enhanced DNS Utilization by Middle Eastern Companies Could Draw the Attention of Cybercriminals”

Cybersecurity Alert: Malicious DNS tunneling represents a substantial risk in the realm of cybersecurity, demanding attention from organizations in the Middle East. This tactic exploits the Domain Name System (DNS) protocol to covertly extract sensitive corporate or personal information from networks while enabling malware command and control activities.

A recent Infoblox Security Assessment Report revealed that two out of five enterprise networks exhibited indications of DNS tunneling during the second quarter of 2016.

However, it is crucial to understand that not every occurrence is what it appears. A thorough analysis of suspected DNS tunneling traffic frequently uncovers inconsistencies that may seem harmful but are, in fact, generated by authorized users and services within enterprise networks, generally not malicious.

Utilizing the DNS Protocol

DNS inquiries primarily consist of compact data packets whose main role is to perform name-resolution tasks without transporting additional data. While advancements such as authentication mechanisms like DNSSEC and DKIM have emerged, their primary objective remains unchanged—providing information about a domain name without irrelevant data.

Nonetheless, sufficient flexibility exists within the DNS protocol to incorporate unrelated information into a DNS query, directing it into or out of a specified network.

DNS signaling, the most basic form of this method, typically employs a cryptographic hash function to encode data into query strings or response records. However, performance may be sluggish due to the restricted size of DNS packets, necessitating a significant volume even for minimal data transfers.

This concept extends into DNS tunneling, which, using surprisingly straightforward techniques, encodes supplementary protocols such as HTTP, FTP, or SMTP over a DNS session.

For simplicity, both methods can be classified under the broader term DNS tunneling.

“Legitimate” DNS Tunneling

In an organization, utilizing DNS for authentic communications may unintentionally trigger false alarms with network and security teams monitoring for malicious DNS tunneling. Many companies engaging in this unauthorized use of DNS typically keep it undisclosed, posing challenges for security teams trying to identify wrongdoing within the protocol. After all, genuine and nefarious usage can seem nearly indistinguishable at first glance.

Of course, those using DNS in this manner often adopt creative shortcuts rather than purposefully misusing their organization’s networks.

This trend can be traced back roughly twenty years, when paywalls in certain hotels and airports limited direct internet access via traditional protocols like HTTP. However, DNS remained accessible, leading to the development of tools like NSTX, Dnscat, and iodine, enabling users to tunnel web sessions and emails through their DNS connections. Over time, these tools evolved to support comprehensive VPN services over DNS, with many options available for free on GitHub and other platforms.

An Imprudent Use of the Protocol

Alongside triggering false alarms and raising concerns about service misuse, DNS tunneling—whether for valid communication or not—is an imprudent exploitation of an organization’s DNS protocol. Effectively, using DNS to transfer data misuses the protocol to deliberately evade restrictions established by the network administrator.

This could entail circumventing workplace productivity filters intended to block access to social media or personal email services, potentially posing a widespread risk to the organization.

Nevertheless, many commercial products take advantage of DNS signaling to deliver data transfer services.

For example, with the growing popularity of DNS tunneling, some consumer-premises equipment (CPE) manufacturers faced difficulties sending updates to their Wi-Fi routers or cable and DSL modems across residential and SMB networks.

Inconsistencies with various types of traffic allowed by certain ISPs complicated proper connections through NAT-based routers. Consequently, DNS was regarded as a feasible solution, prompting some CPE companies to utilize the protocol for software updates and maintenance tasks with their user base.

Today, most enterprise-level networks manage these operations using appropriate communication and authentication methods. However, internal departments and branch offices might use more affordable CPE equipment, leading to these signals being sent via DNS—even within an enterprise network.

Elsewhere, the need for nearly continuous engagement with customers has driven some antivirus (AV) vendors to establish file hash identification routines via DNS. While this method offers a quick and effective means of assessing whether a suspicious file is infected, it can unwittingly expose a network to harmful communications.

Bypassing Security Controls

Ultimately, the key concern with DNS tunneling practices is that they evade controls set up by the network team, causing security, compliance, and operational issues while overwhelming the DNS protocol and anomaly detection systems designed to monitor DNS traffic.

Organizations are increasingly striving to protect their DNS as its importance becomes more evident, recognizing how much extraneous DNS traffic persists within their networks.

While it may be overly optimistic to anticipate the practice to cease altogether, efforts could be directed towards persuading IT vendors and manufacturers to minimize reliance on it, ultimately simplifying the task of securing this valuable yet vulnerable protocol.