EXECUTIVE SUMMARY:
DNS tunneling, historically associated with command and control (C2) and virtual private network (VPN) evasion, has emerged with new applications extending beyond traditional uses. Recent findings reveal its adoption for network scanning and tracking, posing novel challenges to network security. Malicious actors exploit DNS traffic's ubiquitous nature to bypass conventional defenses, necessitating a nuanced understanding of these evolving threats.
DNS tunneling covertly embeds data within DNS requests and responses, facilitating communication between compromised hosts and attacker-controlled nameservers. By encoding data within DNS queries, malicious actors obscure their activities, evading detection by traditional security measures. Recent campaigns demonstrate DNS tunneling's versatility, with adversaries employing it for scanning and tracking purposes. In scanning, attackers encode IP addresses and timestamps into tunneling payloads, enabling reconnaissance of network infrastructure and potential vulnerability exploitation. Conversely, tracking leverages subdomains in DNS queries to monitor victim behavior, providing insights into email interaction and content delivery.
As DNS tunneling continues to evolve, organizations must bolster their defensive strategies to combat emerging threats effectively. Deploying advanced DNS security solutions capable of detecting anomalous tunneling activities is paramount. Additionally, proactive measures such as controlling resolver service ranges and promptly updating resolver software versions can mitigate vulnerabilities. By remaining vigilant and adapting to the evolving threat landscape, organizations can fortify their defenses against DNS tunneling and safeguard their networks from malicious exploitation.
THREAT PROFILE:
Tactic | Technique Id | Technique |
Defense Evasion | T1205 | Traffic Signaling |
Discovery | T1046 | Network Service Discovery |
T1012 | Query Registry | |
T1018 | Remote System Discovery | |
T1082 | System Information Discovery | |
Collection | T1005 | Data from Local System |
Command and Control | T1001 | Data Obfuscation |
T1572 | Protocol Tunneling | |
T1071 | Application Layer Protocol | |
Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Impact | T1565 | Data Manipulation |
T1496 | Resource Hijacking | |
T1499 | Endpoint Denial of Service |
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/hackers-use-dns-tunneling-for-network-scanning-tracking-victims/