Brian Jackson - Fotolia

Evidence of DNS tunnelling in two-fifths of business networks

Cyber criminals are capitalising on the failure of many businesses to examine their DNS traffic for malware insertion and data exfiltration, according to Infoblox

Two-fifths of business networks show evidence of DNS tunnelling, the latest security report from network control firm Infoblox reveals.

DNS tunnelling is a technique used to send and receive data packets over the domain name system (DNS) that is designed to translate domain names such as computerweekly.com into IP addresses such as 206.19.49.154, and consequently has no inherent security or monitoring capability.

DNS tunnelling activity is a significant security threat that can indicate malware or data exfiltration within a network, according to the company’s security assessment report for the second quarter of 2016.

The report said 559 files capturing DNS traffic were uploaded to Infoblox for assessment from 248 customers across a wide range of industries and geographies. Evidence of suspicious DNS activity, such as attempting to reach known malicious internet locations, was present in 66% of the files.

Tunnelling trend

The prevalence of DNS tunnelling is one of the trends that stands out in the quarter, the report said, noting that cyber criminals know that DNS is a well-established and trusted protocol, and that many organisations do not examine their DNS traffic for malicious activity.

DNS tunnelling enables cyber criminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls, the report said.

While there are quasi-legitimate uses of DNS tunnelling, many instances are malicious. There are several off-the-shelf tunnelling toolkits readily available on the internet that enable cyber criminals with relatively little technical expertise to mount DNS tunnelling attacks.

Cocktail ingredient

According to Infoblox, DNS tunnelling is often an element in very sophisticated attacks, including those sponsored or directly managed by nation states. For example, the recently uncovered Project Sauron – a particularly advanced threat likely to have been sponsored by a government – uses DNS tunnelling for data exfiltration. 

“In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cyber security at Infoblox.

“Cybersecurity is much the same. The widespread evidence of DNS tunnelling shows cyber criminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.”

The specific security threats uncovered by Infoblox during the second quarter, ranked by percentage, include:

“While these threats are serious, DNS can also be a powerful security enforcement point within the network,” Rasmussen pointed out.

“When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices, and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers,” he said.

Read more about DNS security

  • Thirty years after creating the internet’s domain name system, co-creator Paul Mockapetris talks about addressing internet challenges with a more secure DNS.
  • Third-party DNS providers claim to improve browsing times and speeds, but are they a secure enterprise option? Expert Michael Cobb explains.
  • Cloud customers need to make sure cloud providers are taking steps to secure their DNS infrastructure, including DNSSEC-signed zones.
  • Network control supplier Infoblox expands into security with a DNS firewall and a firewall management product, and adds a branch Trinzic box.

Read more on Hackers and cybercrime prevention