Page 57 - Cyber Warnings
P. 57
DNS was seen as being a viable alternative and it wasn’t long before some of the CPE
companies were using the protocol to perform software updates and other maintenance tasks
with their installed base.
Today, most enterprise-grade networks will handle such tasks using proper communications
and authentication channels. Internal departments and branch offices can often have cheaper
CPE equipment, however, meaning that these signals are being transported over DNS – even in
an enterprise network.
Elsewhere, the need for nearly continuous communication with their customers has seen some
anti-virus (AV) vendors set up file hash identification routines via DNS.
While this is undeniably a quick and effective way of determining whether a suspect file is
infected or not, it can potentially open up a network to malicious communications.
Circumventing controls
Essentially, the main problem with DNS tunnelling techniques is that they circumvent controls
put in place by a network team, opening up security, compliance and operational concerns
while, at the same time, overloading the DNS protocol and anomaly detection systems put in
place to examine DNS traffic.
Businesses are increasingly trying to protect their DNS as its importance becomes clearer, and
are beginning to realise how much extraneous DNS traffic is running on their networks.
It’s perhaps optimistic to expect the practice to stop completely, but efforts could be made to
persuade IT vendors and manufacturers to become less reliant on it, and ultimately make it less
difficult to secure this valuable and vulnerable protocol.
About the author
Rod Rasmussen is vice president of cybersecurity at Infoblox. As co-
founder of internet security company IID (a company recently acquired by
Infoblox), Rod is widely recognized as a leading expert on the abuse of the
Domain Name System (DNS) by cyber criminals.
57 Cyber Warnings E-Magazine October 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
