DNS is a basic protocol that allows applications such as web browsers to operate based on domain names. However, DNS is not intended to be used for command channels or general purpose tunneling. However, several utilities have been developed to enable tunneling over DNS. However, because it is not intended for general purpose data transfer, DNS places less emphasis on security monitoring than other protocols. As a result, DNS tunneling, if left undetected, poses a significant security risk to enterprises.
The Domain Name System (DNS) is an important protocol used for web browsing and email to allow these applications to use names such as example.com instead of IP addresses. Because the protocol is not intended for data transfer, DNS can be overlooked as a threat for malicious communications or data exfiltration. Most organizations today are still poorly positioned when it comes to DNS attacks. Many organizations have little or no monitoring of their DNS protocol. Instead, they focus resources on web or email traffic, as these targets are more commonly used as attack vectors.
DNS tunneling poses a significant threat, but there are methods to detect these potential threats early. DNS tunnels can be detected by analyzing a single DNS payload or through traffic analysis by analyzing the number and frequency of requests. Payload analysis is used to detect malicious activity based on a single request. Attributes of a request such as domain length, number of bytes and content can be used to create so-called detection rules. Detection of unusual record types such as TXT can also be used for this purpose. Another method for early detection is traffic analysis.
Here, traffic analysis works on basis, multiple requests and the entire traffic to detect malicious activities. Attributes that can be used for traffic analysis include DNS traffic volume, number of hostnames per domain, geographic location and domain history.
The Domain Name System (DNS) is a critical protocol and service used on the Internet. The basic function of DNS is to map domain names to IP addresses. For example, users can enter a domain name (e.g. example.com) into their web browser, whereupon DNS performs a forward lookup to find one or more IP addresses for that domain name. This is called an “A” record. The user’s network stack can then send http traffic to the destination IP address. The DNS protocol is constantly being improved to provide and enable new features. Although there are earlier RFCs, the core functionality of DNS is defined in RFCs 1034 and 1035. There are over 20 other RFCs that describe additional functionality for DNS.
DNS has over 30 entry types, with many of the common entry types critical to providing core Internet services. As mentioned earlier, the “A” record type maps a domain name to an IPv4 address. The “AAAA” record is used to map a domain to an IPv6 address. The “CNAME” record type is used to map a domain name to the canonical name. The “MX” record type is used to define mail servers for a domain. The “NS” record type is used to define authoritative name servers for a domain. The “PTR” or pointer record is often used to map an IP address to its domain name. This is commonly referred to as a reverse lookup. The “TXT” record type is used to return text data. This record type was developed for specific purposes, such as the Sender Policy Framework (SPF) for anti-spam.
DNS uses both UDP server port 53 and TCP server port 53 for communication, but UDP is used by default, though TCP is used for zone transfers or for payloads over 512 bytes. There is also what is called “Extension Mechanisms for DNS”, or EDNS for short. If EDNS is supported by both hosts in a DNS communication, then UDP payloads larger than 512 bytes can be used. EDNS is a feature that can be used to improve bandwidth for DNS tunneling.
DNS is a hierarchical system; each level in the hierarchy can be provided by a different server with different ownership. For the Internet, there are 13 root DNS servers, labeled “A” through “M.” However, these are represented by many more than 13 physical servers. The hierarchical nature of DNS can be explained with an example. Suppose a request is made for the IP address of a domain named my.test.example.com. A request is first routed to the root servers to find out which server controls the .com top-level domain. The .com server provides the server that controls the example.com domain. Next, the example.com DNS server provides information about the server that controls the test.example.com domain. Finally, the test.example.com DNS server provides the IP address for my.test.example.com.
With this hierarchical system, a domain owner can define the servers for their domain. This means that they have control over the final destination of hosts for DNS queries to their domain. In an enterprise, endpoints never make DNS queries to the Internet directly. For that, there are internal DNS servers that provide DNS services to an endpoint. However, because DNS forwards queries until an authoritative name server is contacted, an attacker who has gained access to an internal endpoint can exploit the corporate DNS infrastructure to establish a DNS tunnel to a corporate-controlled domain.
It is important to remember that DNS is cashing out. When DNS responses are provisioned, Time to Live (TTL) is also provided. The receiving intermediate server can cache the result in cash for the value of this time period. Then, when an identical query arrives, the cached result can be provided and no new lookup needs to be performed.