Cybercriminals are using malicious domain names and DNS servers to bypass the protection and complete data exfiltration.

Before we jump into explaining what the DNS tunneling attack is and how it works, let’s talk a little bit more about what DNS is.

Domain Name System – explained

The Domain Name System, or just for short DNS, is a global naming database. Thanks to it, we are able to use the Internet, as we do in the present day. Its purpose is to translate human-readable domain names, such as example.net, into their corresponding machine-friendly IP addresses, such as 123.45.67.89. That way, regular users are not required to remember long and difficult numbers. Instead, people are easily memorizing domain names, and they can use them to reach and explore their favorite news, sports, or another website.

A lot of services rely on the large number of DNS translation queries that appear constantly. For that reason, DNS traffic is widely used and trusted. Due to the fact that DNS was not invented to transfer data packets but only for name resolution was not viewed as a threat to malicious communications and data exfiltration. Yet, DNS is not just a translation instrument for domain names. DNS queries can also transfer tiny portions of data between two devices, systems, and servers. The bad news is that this makes DNS a potential vector for attacks.

Unfortunately, the majority of organizations do not analyze the DNS packets for malicious activity frequently. Instead, they mainly concentrate on analyzing web or email traffic where they consider a possible attack could appear. The truth is that each endpoint should be under detailed monitoring for preventing DNS tunneling attacks.

DNS Tunneling – what do you have to know?

DNS Tunneling attack is a very popular cyber threat because it is very difficult to detect. It is used to route the DNS requests to a server controlled by the attacker and provides them with a covert command and control channel and data exfiltration path.

Typically, DNS tunneling involves data payloads that are added to the target DNS server. Additionally, they are implemented for gaining control of a remote server and applications. Moreover, for the purpose of this attack, the compromised system should be connected to an external network to achieve access to an internal DNS server with network access. Cybercriminals control a server that operates as an authoritative server and a domain name to complete the server-side tunneling and data payload executable programs.

5 DNS Attacks Types that could affect you

DNS Tunneling History

DNS tunneling history is highly related to the evolution of cybersecurity threats. It appeared as a technique for bypassing network restrictions and avoiding detection. At first, it was used for legitimate purposes like bypassing restrictive networks or anonymous online activity. However, DNS tunneling slowly became popular among malicious actors as a secret communication channel for data exfiltration and command-and-control purposes. The first examples of this attack appeared in the early 2000s and were often associated with malware propagation. Over the years, the attackers become more sophisticated, and their techniques have evolved. That forced cybersecurity specialists to develop advanced monitoring and prevention mechanisms to protect against it.

How does it work?

DNS tunneling attack takes advantage of the DNS protocol and achieves tunneling malware or data through a client-server model. Let’s explain how this attack actually works.

It all starts when a user downloads malware or the cybercriminal manages to exploit a vulnerability of the compromised device to transfer a malicious payload. In most cases, the cybercriminal wants to keep a connection with the compromised device, meaning to have the opportunity to run commands on the target device or exfiltrate data. Therefore, the attacker can set a command-and-control (C2) connection. Such traffic should be able to pass via different network perimeter security measures, plus it should avoid detection until it crosses the target network. 

For that reason, DNS is a suitable option for setting up the tunnel. That is a common term in cybersecurity which stands for a protocol connection that carries a payload that includes data (commands) and passes through perimeter security measures. That way, the DNS tunneling attack manages to hide information within DNS queries and send them to a server controlled by the cybercriminal. The DNS traffic passes freely through perimeter security measures, such as firewalls. For the purpose of setting the DNS tunnel, the cybercriminal registers a domain name and configures an authoritative name server under their control. 

Then the malware or payload on the compromised device initiates a DNS query for a subdomain that defines an encoded communication. The Recursive DNS server (DNS resolver) obtains the DNS query and routes it to the attacker’s server. The server responds with malicious DNS data containing data (command) back to the compromised device. That way, the attack passes without triggering any security measures.

Let’s break the DNS Tunneling attack into the following steps:

1. The cybercriminal registers a domain and points it to the server under its control. There is installed tunneling malware software. 
2. The cybercriminal infects a device with malware, penetrating the victim’s firewall. DNS requests don’t have restrictions for passing in and out of the firewall.
3. The Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
4. Then the DNS resolver routes the DNS query back to the authoritative DNS server, which is controlled by the attacker and contains the tunneling software. 
5. The connection between the cybercriminal and the target is created without any notice.

Why do Attackers Use DNS Tunneling?

Attackers use DNS tunneling to exploit the widespread and often under-monitored nature of DNS traffic. This attack allows them to secretly transmit data between a compromised system and a command-and-control server. Since DNS queries and responses are generally trusted and rarely scrutinized, this technique can easily bypass firewalls and other security measures. DNS tunneling allows attackers to maintain persistent access, execute remote commands, and exfiltrate sensitive data without detection. The global reach and minimal inspection of DNS make it an ideal medium for hidden communication and data transfer.

Detecting DNS Tunneling

There are several techniques that can help you detect a DNS tunneling attack. However, we can distinguish them into two main categories – payload analysis and traffic analysis.

Payload analysis – The DNS payload for one or more requests and responses is going to be examined for tunnel signs.

• Examining the size of the request and answer. Typically, DNS tunneling utilities are pushing to place as much data into the requests and answers as possible. Therefore, the tunneling requests are more likely to have long labels. For instance, there are up to 63 symbols and, in general, long names – up to 255 symbols.
• Disorder of hostnames. DNS names that are authentic commonly contain dictionary words and have some kind of meaning. Names that are encoded are usually out of any order, plus they are even using a set with more characters.
• Statistical Examination. You can detect tunneling by checking the specific character staff of the DNS names. DNS names that are authentic commonly contain fewer numbers. On the other hand, encoded names tend to have a lot of numbers. Examining the percentage of numerical characters in domain names and examining the percentage of the length of the Longest Meaningful Substring (LMS) could also help you.
• Uncommon DNS Record Types. You can check for DNS records that are not usually implemented by a regular client. For example, you can examine the TXT records.
• Violating a policy. In case a policy directs every DNS lookup to pass through an internal DNS server, violations of that policy may be employed as a detection technique.
• Special Signatures. You can use a special signature to examine precise attributes in a DNS header. Then scan for particular content in the payload.

Traffic analysis – The traffic is under examination over time.

• Volume of DNS traffic per IP address. A simple and easy to accomplish technique is to check the specific amount of DNS traffic that is coming from a particular client IP address. 
• Volume of DNS traffic per domain. Another method that is very easy and basic is by checking for massive amounts of traffic towards a precise domain name. DNS tunnel utilities are typically established to tunnel the data by involving a precise domain name. Therefore, all of the tunneled traffic is going to be that exact domain name.
• The number of hostnames per domain. DNS tunneling utilities ask for an individual hostname on every request. That effects by increasing the number unusually compared to a normal authentic domain name.
• Geographic location of DNS server. You can check for a massive amount of DNS traffic that is directed to geographical areas where you don’t offer your services or products.
• The history of a domain. You can examine when an A record (AAAA record) or NS record was created and added to a domain name. That technique is very useful for detecting domain names that are utilized for malicious criminal actions.

Source: GIAC Certifications

Protection against DNS Tunneling attacks

DNS is a crucial service, so it is going to be a problem if you are considering blocking it. Thus, protection against a DNS Tunneling attack involves several actions that are going to help you prevent such an attack.

• You should keep a closer look and track of questionable IP addresses and domain names that are from non familiar sources.
• You can set all of the internal clients to direct their DNS requests (DNS queries) to an internal DNS server. That way, you can filter potential malicious domains. 
• It is very important to stay watchful for any suspicious domain names, and it is best if you always monitor the DNS traffic. That will help reduce the chance for a DNS tunneling attack to appear.
• Establish a DNS firewall for recognizing and stopping any hacker intrusion.
• A real-time DNS solution that is able to detect uncommon DNS queries and unusual traffic patterns on the DNS server is another excellent option.

Using DNS Monitoring against DNS tunneling

DNS Monitoring can be crucial in mitigating the risks of DNS tunneling by providing real-time visibility into DNS traffic patterns and behavior. By constantly analyzing DNS queries and responses, DNS monitoring can detect anomalies and suspicious activities that indicate tunneling attempts. This proactive monitoring allows organizations to quickly identify and respond to potential threats, such as secret data exfiltration and command and control communications before they escalate. Additionally, the ClouDNS Monitoring service offers different alerting mechanisms that notify administrators of any unusual DNS activities. That way, they can take timely action to investigate and block malicious traffic. Thanks to the extensive monitoring capabilities, organizations can strengthen their DNS infrastructure and improve their ability to defend against different threats, including DNS tunneling.

Risks and Impact of DNS Tunneling

DNS tunneling attack poses several significant risks to organizations:

• Data Breaches: Attackers can exfiltrate sensitive information, including personal data, intellectual property, and financial records.
• Unauthorized Access: Allows attackers to maintain hidden, persistent access to compromised systems.
• Operational Disruption: Enables the execution of remote commands, potentially leading to system malfunctions or downtime.
• Financial Loss: Costs associated with data loss, various fines, and restoration efforts can be significant.
• Reputational Damage: Public exposure of breaches can harm an organization’s reputation, leading to loss of customer trust and business.
• Detection Challenges: The nature of DNS tunneling makes it difficult to detect and mitigate, increasing the potential for long-term undetected exploitation.

Examples and Cases

Over the years, several famous examples of DNS tunneling have highlighted its power as a cyber threat:

• Sea Turtle Campaign (2019)

The Sea Turtle campaign in 2019 highlighted the advanced tactics of state-sponsored cyber espionage. This campaign targeted domain registrars, telecommunications firms, and government entities to compromise their DNS records. Attackers manipulated DNS records to redirect legitimate traffic to malicious servers under their control. DNS tunneling played a key role in allowing the attackers to maintain persistent access, exfiltrate sensitive information, and establish C2 channels while remaining undetected.

• SUNBURST Malware (2020)

The SUNBURST malware, a significant component of the SolarWinds supply chain attack in late 2020, demonstrated the sophistication of modern cyber threats. SUNBURST used DNS tunneling as one of its communication methods to establish contact with its C2 infrastructure. By embedding communication within DNS queries and responses, the malware achieved secret data exchange with remote servers. That way, attackers were able to exfiltrate stolen data and receive further instructions while avoiding detection by security measures focused on more traditional communication protocols.

• UDPoS Malware (2015)

The UDPoS malware, discovered in 2015, demonstrated a variation of DNS tunneling where attackers used User Datagram Protocol (UDP) packets to exfiltrate stolen credit card data. The malware encoded the stolen information into DNS queries, which were then transmitted over UDP to avoid detection by traditional network security controls. This technique allowed the attackers to bypass network monitoring tools that usually focus on Transmission Control Protocol (TCP) traffic.

TCP Monitoring vs. UDP Monitoring

Conclusion

DNS tunneling is a severe cyber threat. It could lead to massive negative consequences. This is because the cybercriminal uses the tunnel for malicious ends, like exfiltrating information. In addition, there is no direct association between the cybercriminal and the target. That makes it hard to detect the attacker’s attempt.

The post DNS Tunneling attack – What is it, and how to protect ourselves? appeared first on ClouDNS Blog.

Recursive DNS server explained

The Recursive DNS server called, also commonly DNS resolver, has the important responsibility of seeking requested data and responding to users’ DNS queries.

In computing, when we talk about recursion, it is clearly associated with a technique that aims to solve a particular problem. In addition, that involves a program or solution that continuously repeats itself until it reaches the desired goal.

A Recursive DNS server is positioned to function in the middle between the Authoritative DNS server and the end-users that initiate DNS requests. So, each time a user desires to visit and explore a particular website, it types its domain name into the address bar of the browser. From there, the Recursive DNS server receives the request and starts searching for the IP address (IPv4 or IPv6) that corresponds to the domain name. Shortly after the required IP address is found, the DNS resolver returns to the user’s device and provides the needed information. Then the browser on the device (smartphone, laptop, computer, etc.) of the user is able to connect and load the desired website. 

The number of available Recursive DNS servers all over the world is significant. However, the most popular among them are the ones of the Internet service providers (ISP).

Tasks of the Recursive DNS server

The role of the DNS resolver is to complete one of the following tasks:

1. Checks if the IP address is stored in the cache memory. There is a certain period of time, pre-defined by the domain’s owner called Time to Live or TTL. It says for how long the Recursive server can hold the information. If it is still there, it will return the answer fast and won’t take further actions.
2. Searches for the IP address elsewhere. If it is not in the cache, it will continue the searching process until it gets to an Authoritative server which has the information.

How does it work?

The Recursive DNS server takes a very important role in the DNS resolution process. As we mentioned earlier, it operates between the user and the Authoritative DNS server. Yet, it completes several crucial tasks. Let’s summarize how it operates and what actions it performs in this vital process: 

• The DNS resolver is the one that obtains the DNS query from the user.
• It then asks the Root server about the location of the TLD (Top Level Domain) server.
• The Recursive queries the TLD (Top Level Domain) server for information about which is the accountable Authoritative DNS server for the precise domain.
• It makes a request to the Authoritative DNS server responsible for the particular domain. 
• The Resolver gets back to the user and provides the requested data.
• It caches the DNS information for further use.

The existence of Recursive DNS servers is crucial. This is because they support the Authoritative DNS servers, which would not otherwise be able to handle the workload created by themselves. Additionally, DNS Resolvers distribute the load of the huge number of user requests and make the resolution of domain names way easier.

Check out Fantastic Premium DNS service plans by ClouDNS!

Recursion and Iteration: Explaining the Dynamic Duo

Recursion and iteration are two programming concepts that play a crucial role in the functionality of DNS servers, particularly recursive ones. Let’s explore these concepts:

• Recursion 

Recursion, in the context of DNS, refers to the process where a DNS server, upon receiving a query for a domain name, doesn’t have the necessary information in its cache and initiates a series of requests to other DNS servers to resolve the query. Each subsequent request dives deeper into the DNS hierarchy until the authoritative DNS server for the queried domain is reached.

Imagine recursion as a detective following a trail of clues to solve a mystery. The DNS server starts with limited information, asking other servers for more details until it discovers the complete answer. This recursive process ensures that even if a DNS server doesn’t have the needed information, it can still find and deliver a response after consulting other authoritative sources.

• Iteration

Iteration, on the other hand, involves repeating a set of instructions until a specific condition is met. In the DNS context, iteration occurs when a DNS server sends iterative queries to authoritative servers and, at each step, refines the search until it obtains the precise information needed to resolve a domain name.

Think of iteration as a systematic approach where the DNS server persistently refines its search, step by step, until it comes to the solution. This process allows for efficient querying, minimizing the chances of overwhelming authoritative servers with unnecessary requests.

• Recursion and Iteration in Recursive DNS Servers

Recursive DNS servers blend recursion and iteration to navigate into the complex DNS hierarchy. When a recursive DNS server receives a query, it first checks its cache to see if the information is available. If not, it starts a recursive process, reaching out to authoritative servers and using iteration to specify its search for the required data. This dynamic dance between recursion and iteration ensures that DNS queries are resolved quickly and accurately. 

The Benefits of Recursive DNS Servers

Now that we’ve explained the meaning of recursion and iteration let’s explore the benefits that Recursive DNS servers bring to the table.

• Enhanced Performance and Speed: Recursive DNS servers significantly improve the speed of DNS resolution. Maintaining a cache of previously resolved queries allows these servers to respond promptly to reappearing requests without crossing the entire DNS hierarchy again. This results in faster load times for websites and a smoother browsing experience for users.
• Reduced Network Latency: With their ability to store and reuse resolved queries, Recursive DNS servers help minimize network latency. By reducing the time it takes to get information from authoritative servers, these servers contribute to quicker and more responsive internet connections.
• Improved Security: Recursive DNS servers can protect users from malicious activities. Through features like DNS filtering and blocking known malicious domains, these servers safeguard against phishing attacks, malware, and other online threats. They can perform detailed checks and validations before serving DNS responses, adding an extra layer of security to the online experience.
• Load Distribution and Balancing: Recursive DNS servers contribute to the efficient distribution of network traffic by balancing the load on authoritative servers. These servers reduce the load on the DNS infrastructure by caching and serving responses locally.
• User Privacy: They can enhance user privacy by implementing features like DNS over HTTPS (DoH) or DNS over TLS (DoT). These encryption protocols add a layer of security, preventing unauthorized parties from intercepting and monitoring DNS requests.

Vulnerabilities

Cybercriminals are well aware of the importance of Recursive DNS servers. Unfortunately, they managed to use their vulnerabilities and initiate different malicious attacks. Some of the DNS resolvers are public, which makes them an easy target. Attackers often use DNS spoofing attacks or execute DDoS attacks in order to shut the servers down directly.

• Recursive DNS servers and the amplified attacks

DNS Amplified Attacks are a very common threat on the Internet. They exploit the public Recursive DNS servers to generate high traffic and to damage the target.

• Public (Open) recursive DNS

To leave your Recursive DNS server public is dangerous. Such devices are with minimum security and visible IP address. This means that anyone, including cyber-criminal, can easily access it and later use it as a botnet device to amplify their next attack.
Many of the network administrators don’t know their recursive servers are open, and this can lead to severe problems. If you doubt about your DNS server, you can check it on this page: http://openresolverproject.org

• Oversized packets

A threat that some of the attackers take advantage of is manipulating the query packets. They send multiple queries to recursive servers, but with a modified IP addresses, directing all of the generated traffic towards the victims. They use many servers, and if the traffic is high, they can crush the victims’ servers.

Can you have safe Recursive DNS servers?

Yes, it is possible to secure your servers. We recommend you to use our Private DNS servers. They are hidden from the public eye and still have all of the premium features like TTL management, Cloud domains, Secondary DNS, SOA Settings and Hourly statistics
You don’t need to get all of them. You can strategically choose just a few of them where you most need them.

Conclusion 

The Recursive DNS servers are a fundamental component of the global network Internet and the DNS (Domain Name System). The role they play in the DNS resolution process is significant. DNS resolvers simplify and manage to balance the load of numerous DNS requests daily!

The post What is a Recursive DNS server? appeared first on ClouDNS Blog.

What is a DNS flood attack?

A DNS flood attack is a type of Distributed Denial of Service (DDoS) attack. It targets the DNS server, which is crucial for translating domain names (like www.example.com) into IP addresses that computers use to communicate. The attack floods the DNS server with an overwhelming number of requests, causing legitimate traffic to be delayed or completely blocked, effectively taking the service offline.

How does a DNS flood attack work?

Imagine a small post office suddenly receiving millions of letters, most with incorrect return addresses. A DNS flood attack operates similarly. Attackers leverage a network of compromised devices, known as a botnet, to send a deluge of DNS requests to a target server. These requests are often disguised with fake IP addresses, adding confusion and preventing easy filtering. The server, inundated by this tsunami of requests, struggles to respond, leading to legitimate requests being ignored or delayed – effectively disrupting normal web services. 

Let’s break down the process into steps:

1. Volume of traffic: The attacker sends a massive amount of DNS requests to the target server, often using a network of compromised computers (botnets).
2. Spoofing IP addresses: These requests often have fake return addresses, making it hard for the server to distinguish between legitimate and illegitimate traffic.
3. Server overload: The DNS server becomes overwhelmed, trying to process each request, leading to slowed down services or a total shutdown.
4. Secondary effects: The attack can also impact other services that rely on the DNS server, creating a ripple effect of disruption.

Why is it dangerous?

The danger of DNS flood attack cannot be overstated. They are more than just an inconvenience; they pose a significant threat to online operations. Firstly, they can cause major disruptions to essential services, crippling websites and online platforms. This disruption can have a cascading effect, impacting not only the targeted site but also any service that relies on it. The financial implications are equally severe, especially for businesses that depend on online transactions or services. Beyond the immediate financial losses, these attacks can inflict long-term damage to a company’s reputation, shaking customer confidence and trust. Moreover, while the focus is on mitigating the attack, other security vulnerabilities might be overlooked, leaving the door open for further exploits.

How to recognize a DNS flood attack?

Identifying a DNS flood attack primarily involves monitoring for an abnormal surge in DNS traffic. This is where tools like ClouDNS Free DNS tool come into play. This innovative tool enables users to inspect DNS records for specific hosts and analyze the speed and volume of DNS queries. Users can conduct a thorough audit of their DNS traffic, a crucial step in early detection. The tool’s user-friendly interface and comprehensive functionality, including compatibility with major DNS resolvers like Cloudflare, make it an invaluable resource in a cybersecurity toolkit.

DNS flood attack mitigation

To defend against DNS flood attacks, consider the following strategies:

DNSSEC (Domain Name System Security Extensions):

DNSSEC adds an extra layer of security by verifying the authenticity of DNS responses. This helps ensure that the data hasn’t been altered, making it harder for attackers to exploit the DNS system.

DDoS Protection Service:

DDoS Protection services specialize in distinguishing and mitigating abnormal traffic patterns characteristic of DDoS attacks. They can redirect malicious traffic, keeping your DNS server operational.

DNS Monitoring:

Regularly monitoring DNS traffic for unusual patterns helps in early detection of potential attacks, allowing for swift action before significant disruption occurs.

Enabling DNS Caching:

DNS caching reduces the load on servers by storing responses locally. During an attack, cached data can still be served, maintaining service availability for some users.

Secondary DNS:

A Secondary DNS provides redundancy. If your primary server is overwhelmed, the secondary server can maintain service availability, minimizing downtime.

DoT (DNS over TLS) and DoH (DNS over HTTPS):

Implementing DoT and DoH encrypts DNS queries, enhancing security. They help differentiate legitimate traffic from malicious queries, as most attack traffic doesn’t use these secure channels.

Conclusion

In summary, effectively mitigating DNS flood attacks involves a blend of strategic defenses and proactive monitoring. By adopting a range of protective measures and staying vigilant, organizations can safeguard their online presence against these disruptive threats. Remember, a robust defense is essential in maintaining the integrity and reliability of your digital services in today’s interconnected world.

The post DNS flood attack explained in details appeared first on ClouDNS Blog.