Explain DNS Tunneling and how it works
The easiest way to think of DNS is like a phone book. It contains phone numbers(ip addresses) corresponding to the person it belongs to(domains/websites). When you navigate to a website your computer does a phone book look up to know who to call. Attackers make their traffic look like a phone book lookup but it actually contains a coded message that they are sneaking out.
It can be used for several things such as exfiltrating sensitive data or even communicating with another computer. Because all computers use DNS it can be difficult to spot the malicious traffic.
One method to detect/prevent DNS tunneling is to only allow outbound DNS to your trusted phonebooks and then either block or alert when a computer tries to use a different one.
DNS tunneling is a technique used to bypass network restrictions by encoding data in DNS queries and responses. It works by encapsulating data inside DNS queries and responses, which are then sent over the network. The DNS server then decodes the data and sends it to the intended recipient. This technique can be used to bypass firewalls and other network restrictions, as DNS requests are usually allowed by most networks.
Simple terms: DNS tunneling is a type of attack exploiting the Trojan horse concept where hackers embed malicious code or programs into a message that appears to be a normal request. So changing the appearance of a URL or thumbnail or whatever it may be to appear to be something that it isn’t to provide access to thingys.
DNS is one of the fundamental protocols of the Internet. It provides conversions between domain names and IP addresses. It is organized as a hierarchical system with servers for different subdomains. A visitor to the site checkpoint.com would ask a .com DNS server for the IP address of the checkpoint.com DNS server. A second request to this DNS server would then provide the IP address of the server hosting the desired webpage. The user is now able to visit their desired site. Without the lookup services that it provides, it would be nearly impossible to find anything on the Internet. To visit a website, you would need to know the exact IP address of the server that is hosting it, which is impossible. As a result, DNS traffic is some of the most trusted traffic on the Internet. Organizations allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.
DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.
DNS tunneling attacks are simple to perform, and numerous DNS tunneling toolkits exist. This makes it possible for even unsophisticated attackers to use this technique to sneak data past an organization’s network security solutions.