There are some ‘quasi-legitimate’ uses of DNS tunnelling but many are malicious. What are they, how do you stop them?
The latest Infoblox Security Assessment Report reveals 40 per cent of the files it tested showed evidence of DNS tunnelling. That’s nearly half of the enterprise networks that were tested by Infoblox returning evidence of a threat that can mean active malware or ongoing data exfiltration within the network.
For more than a decade now the bad guys have been looking at ways of using DNS to exfiltrate data. Port 53 manipulation, also known as DNS Tunneling, allows data to be directed through this established path for malicious purposes. Perhaps this shouldn’t be surprising, given the inherently trusted nature of DNS.
While there are some ‘quasi-legitimate’ uses of DNS tunnelling, many will be malicious. The nature of these attacks can vary, depending if the perpetrator is an off the shelf scripter or nation state actor. Project Sauron, an example at the nation state end of the spectrum, used DNS tunneling to exfiltrate data.