Page 56 - Cyber Warnings
P. 56
“Legitimate” DNS tunnelling
Within an enterprise, the use of DNS for legitimate communications can often set off false
alarms with networking and security teams on the lookout for malicious DNS tunnelling. Most
companies that employ this unsanctioned use of DNS tend not to advertise the fact and this can
present a challenge to security teams looking for insidious use of the protocol. After all,
legitimate and malicious use can look practically identical at first glance.
Of course, those using DNS in this way are generally taking creative shortcuts rather than
deliberately abusing their organisation’s networks.
It all started around twenty years ago, when paywalls in certain hotels and airports blocked
direct access to the internet via standard protocols such as HTTP. It was noticed, however, that
DNS wasn’t blocked and tools including NSTX, Dnscat and iodine were subsequently released
allowing web sessions and email to be tunnelled through a user’s DNS connection.
Over the years these tools have evolved to provide full VPN services over DNS, with dozens of
examples freely available on GitHub and elsewhere.
Not a wise use of the protocol
As well as setting off false alarms and raising concerns around theft-of-service, DNS tunnelling,
even as a means of legitimate communication, is not a wise use of an organisation’s DNS
protocol. Indeed, using DNS to transport data is misusing the protocol to deliberately circumvent
measures put in place by the network operator.
It could be used to proxy past workplace productivity filters designed to block Facebook or
personal email services, for example, or for something more sinister that could represent a risk
to the whole company.
However, it appears there are a large number of commercial products which use DNS signalling
as a means of providing data transfer services.
For example, at around the same time that DNS tunnelling was becoming popular as a
technique, some manufacturers of customer presence equipment (CPE) were experiencing
issues in sending updates out to their various consumer-grade Wi-Fi routers or cable and DSL
modems across consumer and SMB networks.
It transpired that there was some inconsistency on the various types of traffic allowed through
certain ISPs, and setting up proper connections through NAT-based routers was proving less
than straightforward.
56 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
