DNS tunneling
(also DNS attack)
DNS tunneling definition
DNS tunneling is a technique used to bypass network restrictions and involves encapsulating unauthorized or non-standard data within DNS queries and responses. While it can be used for legitimate purposes, it can also be used by attackers to route DNS requests to their servers, which gives the attackers a control channel, a cover command, and a data exfiltration path.
Since DNS traffic is often allowed through firewalls and other security measures, attackers can exploit this protocol to hide their malicious activities. With DNS tunneling, attackers can take control of remote servers and apps, exfiltrate data, and bypass network restrictions, which makes it a dangerous attack.
See also: DNS redirection, DNS hijacking
DNS tunneling protection
DNS filtering system. A DNS filtering system can help you monitor, detect, and block malicious DNS requests. Attackers usually infect devices with malware through DNS requests, so by monitoring them, you can reduce the risk of DNS tunneling significantly. Your DNS filtering system should have a phishing attack identification program, programs that can detect DGAs (domain generation algorithms), programs that can detect atypical DNS traffic patterns or a blocklist of DNS requests, for example.
Create an allowlist of apps. By creating an allowlist of apps, you’ll tell your system which apps can be installed on your system and prevent unwanted apps from reaching it.
Use anti-malware. Using anti-malware software will help you protect yourself from malware, which is the most common way attackers conduct DNS tunneling attacks.