Cybercriminals are using malicious domain names and DNS servers to bypass the protection and complete data exfiltration.

Before we jump into explaining what the DNS tunneling attack is and how it works, let’s talk a little bit more about what DNS is.

Domain Name System – explained

The Domain Name System, or just for short DNS, is a global naming database. Thanks to it, we are able to use the Internet, as we do in the present day. Its purpose is to translate human-readable domain names, such as example.net, into their corresponding machine-friendly IP addresses, such as 123.45.67.89. That way, regular users are not required to remember long and difficult numbers. Instead, people are easily memorizing domain names, and they can use them to reach and explore their favorite news, sports, or another website.

A lot of services rely on the large number of DNS translation queries that appear constantly. For that reason, DNS traffic is widely used and trusted. Due to the fact that DNS was not invented to transfer data packets but only for name resolution was not viewed as a threat to malicious communications and data exfiltration. Yet, DNS is not just a translation instrument for domain names. DNS queries can also transfer tiny portions of data between two devices, systems, and servers. The bad news is that this makes DNS a potential vector for attacks.

Unfortunately, the majority of organizations do not analyze the DNS packets for malicious activity frequently. Instead, they mainly concentrate on analyzing web or email traffic where they consider a possible attack could appear. The truth is that each endpoint should be under detailed monitoring for preventing DNS tunneling attacks.

DNS Tunneling – what do you have to know?

DNS Tunneling attack is a very popular cyber threat because it is very difficult to detect. It is used to route the DNS requests to a server controlled by the attacker and provides them with a covert command and control channel and data exfiltration path.

Typically, DNS tunneling involves data payloads that are added to the target DNS server. Additionally, they are implemented for gaining control of a remote server and applications. Moreover, for the purpose of this attack, the compromised system should be connected to an external network to achieve access to an internal DNS server with network access. Cybercriminals control a server that operates as an authoritative server and a domain name to complete the server-side tunneling and data payload executable programs.

5 DNS Attacks Types that could affect you

DNS Tunneling History

DNS tunneling history is highly related to the evolution of cybersecurity threats. It appeared as a technique for bypassing network restrictions and avoiding detection. At first, it was used for legitimate purposes like bypassing restrictive networks or anonymous online activity. However, DNS tunneling slowly became popular among malicious actors as a secret communication channel for data exfiltration and command-and-control purposes. The first examples of this attack appeared in the early 2000s and were often associated with malware propagation. Over the years, the attackers become more sophisticated, and their techniques have evolved. That forced cybersecurity specialists to develop advanced monitoring and prevention mechanisms to protect against it.

How does it work?

DNS tunneling attack takes advantage of the DNS protocol and achieves tunneling malware or data through a client-server model. Let’s explain how this attack actually works.

It all starts when a user downloads malware or the cybercriminal manages to exploit a vulnerability of the compromised device to transfer a malicious payload. In most cases, the cybercriminal wants to keep a connection with the compromised device, meaning to have the opportunity to run commands on the target device or exfiltrate data. Therefore, the attacker can set a command-and-control (C2) connection. Such traffic should be able to pass via different network perimeter security measures, plus it should avoid detection until it crosses the target network. 

For that reason, DNS is a suitable option for setting up the tunnel. That is a common term in cybersecurity which stands for a protocol connection that carries a payload that includes data (commands) and passes through perimeter security measures. That way, the DNS tunneling attack manages to hide information within DNS queries and send them to a server controlled by the cybercriminal. The DNS traffic passes freely through perimeter security measures, such as firewalls. For the purpose of setting the DNS tunnel, the cybercriminal registers a domain name and configures an authoritative name server under their control. 

Then the malware or payload on the compromised device initiates a DNS query for a subdomain that defines an encoded communication. The Recursive DNS server (DNS resolver) obtains the DNS query and routes it to the attacker’s server. The server responds with malicious DNS data containing data (command) back to the compromised device. That way, the attack passes without triggering any security measures.

Let’s break the DNS Tunneling attack into the following steps:

1. The cybercriminal registers a domain and points it to the server under its control. There is installed tunneling malware software. 
2. The cybercriminal infects a device with malware, penetrating the victim’s firewall. DNS requests don’t have restrictions for passing in and out of the firewall.
3. The Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
4. Then the DNS resolver routes the DNS query back to the authoritative DNS server, which is controlled by the attacker and contains the tunneling software. 
5. The connection between the cybercriminal and the target is created without any notice.

Why do Attackers Use DNS Tunneling?

Attackers use DNS tunneling to exploit the widespread and often under-monitored nature of DNS traffic. This attack allows them to secretly transmit data between a compromised system and a command-and-control server. Since DNS queries and responses are generally trusted and rarely scrutinized, this technique can easily bypass firewalls and other security measures. DNS tunneling allows attackers to maintain persistent access, execute remote commands, and exfiltrate sensitive data without detection. The global reach and minimal inspection of DNS make it an ideal medium for hidden communication and data transfer.

Detecting DNS Tunneling

There are several techniques that can help you detect a DNS tunneling attack. However, we can distinguish them into two main categories – payload analysis and traffic analysis.

Payload analysis – The DNS payload for one or more requests and responses is going to be examined for tunnel signs.

• Examining the size of the request and answer. Typically, DNS tunneling utilities are pushing to place as much data into the requests and answers as possible. Therefore, the tunneling requests are more likely to have long labels. For instance, there are up to 63 symbols and, in general, long names – up to 255 symbols.
• Disorder of hostnames. DNS names that are authentic commonly contain dictionary words and have some kind of meaning. Names that are encoded are usually out of any order, plus they are even using a set with more characters.
• Statistical Examination. You can detect tunneling by checking the specific character staff of the DNS names. DNS names that are authentic commonly contain fewer numbers. On the other hand, encoded names tend to have a lot of numbers. Examining the percentage of numerical characters in domain names and examining the percentage of the length of the Longest Meaningful Substring (LMS) could also help you.
• Uncommon DNS Record Types. You can check for DNS records that are not usually implemented by a regular client. For example, you can examine the TXT records.
• Violating a policy. In case a policy directs every DNS lookup to pass through an internal DNS server, violations of that policy may be employed as a detection technique.
• Special Signatures. You can use a special signature to examine precise attributes in a DNS header. Then scan for particular content in the payload.

Traffic analysis – The traffic is under examination over time.

• Volume of DNS traffic per IP address. A simple and easy to accomplish technique is to check the specific amount of DNS traffic that is coming from a particular client IP address. 
• Volume of DNS traffic per domain. Another method that is very easy and basic is by checking for massive amounts of traffic towards a precise domain name. DNS tunnel utilities are typically established to tunnel the data by involving a precise domain name. Therefore, all of the tunneled traffic is going to be that exact domain name.
• The number of hostnames per domain. DNS tunneling utilities ask for an individual hostname on every request. That effects by increasing the number unusually compared to a normal authentic domain name.
• Geographic location of DNS server. You can check for a massive amount of DNS traffic that is directed to geographical areas where you don’t offer your services or products.
• The history of a domain. You can examine when an A record (AAAA record) or NS record was created and added to a domain name. That technique is very useful for detecting domain names that are utilized for malicious criminal actions.

Source: GIAC Certifications

Protection against DNS Tunneling attacks

DNS is a crucial service, so it is going to be a problem if you are considering blocking it. Thus, protection against a DNS Tunneling attack involves several actions that are going to help you prevent such an attack.

• You should keep a closer look and track of questionable IP addresses and domain names that are from non familiar sources.
• You can set all of the internal clients to direct their DNS requests (DNS queries) to an internal DNS server. That way, you can filter potential malicious domains. 
• It is very important to stay watchful for any suspicious domain names, and it is best if you always monitor the DNS traffic. That will help reduce the chance for a DNS tunneling attack to appear.
• Establish a DNS firewall for recognizing and stopping any hacker intrusion.
• A real-time DNS solution that is able to detect uncommon DNS queries and unusual traffic patterns on the DNS server is another excellent option.

Using DNS Monitoring against DNS tunneling

DNS Monitoring can be crucial in mitigating the risks of DNS tunneling by providing real-time visibility into DNS traffic patterns and behavior. By constantly analyzing DNS queries and responses, DNS monitoring can detect anomalies and suspicious activities that indicate tunneling attempts. This proactive monitoring allows organizations to quickly identify and respond to potential threats, such as secret data exfiltration and command and control communications before they escalate. Additionally, the ClouDNS Monitoring service offers different alerting mechanisms that notify administrators of any unusual DNS activities. That way, they can take timely action to investigate and block malicious traffic. Thanks to the extensive monitoring capabilities, organizations can strengthen their DNS infrastructure and improve their ability to defend against different threats, including DNS tunneling.

Risks and Impact of DNS Tunneling

DNS tunneling attack poses several significant risks to organizations:

• Data Breaches: Attackers can exfiltrate sensitive information, including personal data, intellectual property, and financial records.
• Unauthorized Access: Allows attackers to maintain hidden, persistent access to compromised systems.
• Operational Disruption: Enables the execution of remote commands, potentially leading to system malfunctions or downtime.
• Financial Loss: Costs associated with data loss, various fines, and restoration efforts can be significant.
• Reputational Damage: Public exposure of breaches can harm an organization’s reputation, leading to loss of customer trust and business.
• Detection Challenges: The nature of DNS tunneling makes it difficult to detect and mitigate, increasing the potential for long-term undetected exploitation.

Examples and Cases

Over the years, several famous examples of DNS tunneling have highlighted its power as a cyber threat:

• Sea Turtle Campaign (2019)

The Sea Turtle campaign in 2019 highlighted the advanced tactics of state-sponsored cyber espionage. This campaign targeted domain registrars, telecommunications firms, and government entities to compromise their DNS records. Attackers manipulated DNS records to redirect legitimate traffic to malicious servers under their control. DNS tunneling played a key role in allowing the attackers to maintain persistent access, exfiltrate sensitive information, and establish C2 channels while remaining undetected.

• SUNBURST Malware (2020)

The SUNBURST malware, a significant component of the SolarWinds supply chain attack in late 2020, demonstrated the sophistication of modern cyber threats. SUNBURST used DNS tunneling as one of its communication methods to establish contact with its C2 infrastructure. By embedding communication within DNS queries and responses, the malware achieved secret data exchange with remote servers. That way, attackers were able to exfiltrate stolen data and receive further instructions while avoiding detection by security measures focused on more traditional communication protocols.

• UDPoS Malware (2015)

The UDPoS malware, discovered in 2015, demonstrated a variation of DNS tunneling where attackers used User Datagram Protocol (UDP) packets to exfiltrate stolen credit card data. The malware encoded the stolen information into DNS queries, which were then transmitted over UDP to avoid detection by traditional network security controls. This technique allowed the attackers to bypass network monitoring tools that usually focus on Transmission Control Protocol (TCP) traffic.

TCP Monitoring vs. UDP Monitoring

Conclusion

DNS tunneling is a severe cyber threat. It could lead to massive negative consequences. This is because the cybercriminal uses the tunnel for malicious ends, like exfiltrating information. In addition, there is no direct association between the cybercriminal and the target. That makes it hard to detect the attacker’s attempt.

The post DNS Tunneling attack – What is it, and how to protect ourselves? appeared first on ClouDNS Blog.

But first, let’s explain a little bit more about what DNS records actually are.

DNS records briefly explained

DNS records are simple text-based instructions for a specific domain name. Their main purpose is to set precise rules for the domain. Additionally, they are created and gathered in a zone file in the DNS zone. All that information is stored on the Authoritative DNS server for the particular domain name. As we mentioned, DNS records are completely made of text. Therefore, they are pretty light. That allows DNS administrators to edit and adjust them easily. 

Every DNS record type has a different function, so each of them is important for the proper management of the domain name. Moreover, when a user makes a request, the Recursive DNS servers search for a precise DNS record type. 

For the rest of this article, we are going to present to you some of the most important and interesting DNS record types. 

Common DNS record types

There are several types of DNS records, each serving a different purpose. Let’s take a look at some of the most common ones:

SOA Record

SOA (Start of Authority) shows the start of the authority DNS zone and specifies the global parameters of the zone. Every zone must have one, and you can’t add two per zone. It has the following parameters: Serial number, Primary Nameserver, DNS admin’s email, Refresh Rate, Retry Rate, Expire Time and TTL.

A and AAAA Records

These DNS record types are perhaps the most popular and also most important. The A record and the AAAA record are both responsible for mapping a domain name to its corresponding IP address. This is what enables users to access your website via its domain name. The difference is that A record points to an IPv4 and the AAAA record to IPv6.

MX Record

The MX record, commonly also known as mail exchange record, is used to specify the email server responsible for accepting incoming email messages for a domain name. This DNS record type is crucial for ensuring that your email gets delivered to the correct mail server. Basically, it says which server should receive the incoming emails. If it is not directed well, you won’t receive emails.

CNAME Record

CNAME record is another very popular DNS record type where the short acronym “CNAME” stands for Canonical Name. It allows you to point one hostname to another, not to an IP address like the A and AAAA records. You can use it when you want to create an alias for a domain name. It serves just for subdomains. It is important to note that you can add only one CNAME record per hostname.

TXT Record

The TXT record allows you to add and store text-based information about a domain name. There are all kinds of TXT records and some of them people can easily understand, and others are specifically for machines to read. For example, DKIM (DomainKeys Identified Mail) record is a TXT record that associates a domain name with a specific email message. There is also DMARC (Domain-based Message Authentication, Reporting, and Conformance) record that identifies and blocks spam and phishing emails by verifying the emails.

SPF Record

Creating an SPF (Sender Policy Framework) record shows who is authorized to send emails with a particular domain. Without it, all the emails you send will go directly to the spam folder of the recipients. It is helpful for preventing email spoofing and phishing attacks.

NS Record

The short acronym “NS” stands for Nameservers, and this NS record points the domain name to its authoritative DNS servers responsible for the DNS zone. The NS record is essential for ensuring that your domain name is properly registered and configured.

SRV Record

SRV records are responsible for defining the locations of servers for specified services, such as voice-over IP (VoIP), instant messaging, and others.

Web Redirect (WR) Record

The Web Redirect record does precisely what it says. It redirects from one address to another. There are a few types: 301 redirect which is a permanent redirect, and 302 redirect, which is temporary, if the address has been moved but not permanently. You can do such a redirection with SSL too.

ALIAS Record

ALIAS record is a very similar to the CNAME record. It allows you to add various hostnames for the same subdomain. You can use it for the root domain as well. This type of record is built into the ClouDNS.

RP Record

The RP record, or Responsible person record, shows who is responsible for the domain name and specifies its email address.

SSHFP Record

Secure Shell Fingerprint record is used for Secure Shell (SSH). The SSHFP record is typically used with DNSSEC enabled domains. When an SSH client connects to a server, he or she checks the corresponding SSHFP record. If there is a match, the server is legit, and it is safe to connect to it.

PTR Record

The PTR record, also commonly known as the Pointer record, points an IP address (IPv4 or IPv6) to a domain name. It is the exact opposite of the A and AAAA records, which match the hostnames to IP addresses. PTR records are used for Reverse DNS.

NAPTR Record

IP telephony uses Naming Authority Pointer records, or for short NAPTR records,  for mapping the servers and the users’ addresses in the Session Initiation Protocol (SIP).

CAA record

Certification Authority Authorization (CAA record) record gives the ability to the DNS domain name holder to issue certificates for his/her domain. The record can set policies for the whole domain or for specific hostnames.

Wildcard DNS Record

The Wildcard DNS record will match requests for non-existing domain names. It is specified with a “*” for example *.cloudns.net

For more information, examples, and video tutorials check the following DNS record wiki page.

How many DNS record types are there?

The Domain Name System (DNS) offers an extensive collection of DNS record types, each tailored to specific functions within the internet’s architecture. Currently, there are over 60 standardized DNS record types, which highlights the system’s complexity and adaptability to various networking needs.

Among these record types are the fundamental A and AAAA records, which respectively map domain names to IPv4 and IPv6 addresses, enabling the routing of internet traffic. MX records handle mail server information, directing emails to the appropriate destination, while CNAME records help aliasing one domain name to another.

Beyond these basics, there is a large number of specialized DNS record types designed to cater to specific requirements. TXT records store text data, serving purposes like domain verification and SPF (Sender Policy Framework) for email authentication. PTR records enable reverse DNS lookups, aiding in network diagnostics and security measures.

Moreover, DNSSEC (Domain Name System Security Extensions) has introduced additional record types which strengthen DNS security. These include DNSKEY records for cryptographic keys and RRSIG records for digital signatures, ensuring the authenticity and integrity of DNS data.

As technology advances, new record types may emerge to address challenges and requirements in internet communication and security. Despite this evolution, the core DNS record types remain vital components of the internet’s infrastructure, supporting its functionality and reliability.

Conclusion

Knowing more DNS records and how to use them will give you an advantage in your DNS usage. You can manage better, and you can get better results.
If you can’t figure out how to use some of the records on your own, you can always contact our Live chat Support who would be happy to help you.

Check our DNS Plans

The post Types of DNS records – What are they and what is their purpose? appeared first on ClouDNS Blog.

How to check the TTL using Windows OS?

You will need to open the Command Prompt as an administrator. From there, you need to use the nslookup. Write this on the command line “nslookup -type=soa www.cloudns.net”. You will get an answer from the authoritative server with the TTL.

You can change the type of the record and look it up for A, AAAA, MX or another type.

How to check the TTL using Linux OS and Mac OS?

You will need to use the dig command.

“dig a cloudns.net” This will give you a long answer. If you want just the TTL, you can try dig +nocmd +noall +answer +ttlid a www.cloudns.net

You can check the different DNS records by changing the text on the last before the domain. For example for AAAA records it will be: dig +nocmd +noall +answer +ttlid aaaa www.cloudns.net and for the MX it will be: dig +nocmd +noall +answer +ttlid mx www.cloudns.net

The previous answers are provided by the recursive servers. If you want to ask directly an authoritative nameserver you should add “+trace” after the “dig” and it will look like this: dig +trace +nocmd +noall +answer +ttlid aaaa www.cloudns.netTTL for different DNS records

• If you want to setup different TTL for every single record you can use our Anycast DNS network!

Easy way to check the SOA TTL value

Now, let’s see how to check the SOA TTL value, which is important for understanding the duration DNS records are cached and how quickly changes are propagated across the internet. For this purpose, we will use the ClouDNS Free DNS tool, a straightforward and effective solution for DNS management and analysis.

1. Access ClouDNS Free DNS Tool
Navigate to the ClouDNS website and locate their Free DNS Tool. This tool is specifically designed for conducting DNS audits and other DNS-related inquiries.

2. Enter the domain name
In the Free DNS Tool interface, you’ll find a field to input the domain name you wish to investigate. This is where you type in the full domain (for example, “cloudns.net”). It’s crucial to ensure the domain name is entered correctly to get accurate results.

3. Choose DNS audit and Select DNS resolver
Once the domain is entered, you need to specify the type of inquiry you’re making. Select “DNS audit” from the available options. Then, choose a DNS resolver. Typically, you might have options like Cloudflare, Google, etc. The choice of DNS resolver can influence the results, as different resolvers might have different cached data.

4. Review the results
After initiating the audit, the tool will process your request and display the results. In these results, look for the SOA (Start of Authority) record section. This part of the report will include information about the primary nameserver, the responsible party for the domain, and various timers related to the domain’s DNS records.

Most importantly, locate the “Default TTL” value within the SOA record section. This number, typically shown in seconds, is the SOA TTL value for the domain. It indicates the duration for which DNS records are cached by resolvers.

Shorter or longer TTL?

Many clients prefer to set the TTL to a long period like 2 days (172 800 seconds). This will reduce the load on the DNS servers, because the queries need to be done less frequently. This can be good if you have a very limited DNS plan, but your clients won’t be happy about it. Make your clients’ experience better, with lower TTL and frequently updated records.  Shorter TTL is useful if you have a very dynamic environment.

A and AAAA records. You can set it as low as 60 seconds if you really need your clients to get the latest update, but we recommend to have it around 1-2 hours to reduce the load on the servers. You can put it as long as 12 hours or a whole day.

SOA record. Unlike other DNS records, SOA controls the speed of DNS updates. A longer TTL (e.g., 48 hours) delays updates but reduces server load. A shorter TTL (e.g., 2 hours) speeds up updates but increases server queries. Choose based on your update frequency and server capacity.

CNAME record. If you need to deliver a lot of content to different parts, you can lower the TTL but in normal conditions you can leave it to 12 hours

MX record. System that have a static IP (it doesn’t change) can put 1800 seconds or more, but the rest with dynamic IP must keep the TTL low.

TXT record. This one you don’t change a lot, so you can set it up to 12hours.

You can experiment with the TTL to see which suits you best. Remember the lower it is, the more often the recursive servers will update the information which is good for your clients. But this will signify a bigger load on your servers and more queries. You should see the results and think if you want to move to a lower or to a higher DNS plan.

30-day Free Trial for Premium Anycast DNS hosting

The post TTL and how to check TTL appeared first on ClouDNS Blog.