What is DNS tunneling, and what are its dangers?

What is DNS tunneling, and what are its dangers?

The last thing that a business owner wants to happen within their organization is a data breach, especially now that cybercriminals are constantly coming up with new ways to steal sensitive data such as customer information and intellectual property (IP).

But even after businesses have implemented a myriad of data security solutions such as cloud security, antivirus software, and the like, some cybercriminals are still able to infiltrate those defenses. And one way they’re doing this is through DNS tunneling.

What is DNS tunneling?

First of all, let’s define what DNS is. DNS is short for Domain Name System, a naming system for computers connected to the internet. It translates domain names, or uniform resource locators (URLs), into internet protocol (IP) addresses.

For example, by visiting our website on a web browser like Chrome or Firefox, the DNS protocol automatically translates the web address into, which will be used to open the page. If, however, the browser doesn’t know the IP address of the website inputted by the user, it will create a query within the organization’s local DNS server to figure out how to get there. This problem is what cybercriminals are exploiting to attack unsuspecting users.

DNS tunneling is a method used to send data over the DNS protocol, which isn’t really intended for such a purpose. However, cybercriminals are taking advantage of it for their own nefarious purposes.

The technology was originally designed as a way to bypass portals and gain free internet access in restricted networks. Legal tools such as Iodine and DNSCat2 are even readily available for anyone to download.

However, when cybercriminals realized that DNS isn't as well-guarded as other parts of IT networks, they exploited it for command and control (C&C) purposes and/or data exfiltration. According to a recent study by EfficientIP, DNS tunneling attacks in the UK have risen 105% in 2018 alone.

How does it work?

Typically, in a corporate setup, firewalls inspect and block suspicious traffic coming from particular IP addresses or server ports. This secures company data and ensures users don’t accidentally or intentionally leak them. One way to get around this is to abuse the DNS to create a secret “tunnel” to exfiltrate sensitive data from the victim’s system, completely undetected by a firewall.

From the attacker’s perspective, they will first need to have their own domain website such as www.evilwebsite.com, along with a local DNS server. After these have been set up, the attacker delegates a subdomain such as sub.evilwebsite.com and configures their machine to be the subdomain’s DNS server.

At this point, the hacker will create a covert communication channel between the victim’s device running a tunnel program and a DNS server. They might launch a phishing attack where they can include a rogue link that leads to a spoofed website of a legitimate service. Let’s say a website that reads as www.legitimateservice.com/account actually leads to the hacker’s website at data.sub.evilwebsite.com, with the data string representing the victim’s sensitive information.

Once this reaches the attacker’s machine, the hacker sends a DNS response in return using a tunneling tool, which will ask to gather more data on the victim’s system. The attacker now has two-way transactional communication with the victim’s server. They can transfer files out of the network or have complete remote access to the compromised system.

If left undetected, DNS tunneling could become very problematic for business owners when they realize that their sensitive files have been taken by cyberthieves.

How can I prevent it from happening to my business?

A firewall is no longer enough to separate an internal network and keep it safe, as DNS tunneling is now being used by attackers as a loophole to steal confidential data. To combat it, invest not only in effective network security, but also in endpoint protection. This ensures that devices such as laptops, tablets, smartphones, and other mobile devices won’t become a catalyst for data theft within your organization.

Additionally, your IT department can detect malicious domains. If one of your employees opens a bad domain, the connection is instantly terminated. Solutions such as Cloudflare and OpenDNS can help with this. Alternatively, traffic analysis tools can detect if there is a sudden spike in DNS activity.

With the rapid rise of internet-capable devices today, endpoint protection is becoming an alarming concern for most businesses. Let Binatech handle your IT and ensure that your network traffic is monitored at all times so you can have security and peace of mind. Call today.