When it comes to the fundamentals of networking, few technologies are as well established as the Domain Name System (DNS). Over the past three decades, DNS has remained a requirement for how we share and access information online. One change, however, is the level of scrutiny given to DNS as a potential security vulnerability in today’s network environment. In particular, hackers are exploiting DNS as a pathway for data exfiltration. That’s right -- someone could be siphoning valuable or sensitive information from your network through DNS.
The use of DNS, specifically port 53, for data theft is often called DNS tunneling. In tunneling, malicious insiders or outside hackers use the DNS protocol as an established pathway, or tunnel, directing the exchange of information for malicious purposes.
The targeted information of this theft varies as widely as the companies suffering these data breaches. Almost any kind of confidential information has financial value in the wrong hands, and some malicious actors steal information in the name of “hacktivism,” or theft with social or political motivations.
Another prevalent target is personally identifiable information used for identity theft, such as Social Security numbers and health care data protected by HIPAA regulations. Financial information is the other major target, from credit card numbers to payroll information. Even email addresses can be a valuable source of data that can then be used to commit fraud.
Data breaches are a common theme of technology news in recent years, and the effects of such incidents can be long lasting and severe. In some cases, data theft results in direct monetary loss, such as when credit card numbers are stolen. In other cases, customer confidence is the main casualty, which can in turn affect revenue over the ensuing months or years. Finally, regulators in industries with strict data control regulations can impose onerous fines on organizations that allow data to be stolen, motivating them to prevent further lapses in security.
DNS exfiltration and infiltration
The trusted nature of DNS makes it a unique target for information theft and a popular one among today’s hackers. The vulnerabilities lie in the query/reply nature of DNS.
Each message contains a header and four sections that vary in length. Two of these sections, the names section and the UDP messages section, can be used by hackers to encode data without it being detected by traditional security measures. This data is formatted as a query for data that is returned to a name server set up in advance by the hacker. This server is used to receive the stolen information, which is frequently hidden through data encoding methods to obscure the malicious activity. Further obfuscation methods are frequently employed by hackers to prevent discovery, making DNS data exfiltration an especially insidious method of information theft.
InfobloxIn addition to the direct extraction of data to the external server where it is reassembled, hackers might also choose to transfer data into a network, either to move data as part of a larger scheme or to execute malicious code that further compromises systems. The process is essentially a reversal of the exfiltration method, whereby encoded text is added to the rogue server. This is accomplished either by directly injecting the text into the target DNS server or by encoding it within otherwise innocent queries or replies, bypassing firewalls and content filters. Certain actions on the part of the victim, such as a click, result in the code being downloaded, assembled, and executed, carrying out the malicious action devised by the hacker.
Unfortunately, despite the complexity of DNS tunneling to the layman, today’s hackers need not be technical experts to accomplish data exfiltration or infiltration. Complete hacking toolkits are available through underground online communities, giving anyone who is willing to invest a little money everything they need in the form of ready-made programs that are easily implemented.
Defending against DNS data exfiltration
Safeguarding against DNS-based attacks requires a level of security that is not often included with the general-purpose security tools employed by most organizations. As organizations consider adopting a solution for DNS protection, they should ensure that the following capabilities are present:
- The tool should be specifically designed to identify both attacks based on preconfigured toolkits as well as more sophisticated custom data exfiltration techniques.
- It should include the ability to blacklist destinations that are known to be used for data exfiltration, preventing the successful retrieval of information even if a system is compromised. This blocking activity must be maintained on an active basis.
- A DNS firewall should also be a part of the solution, configured specifically to look for known attempts at data exfiltration.
- Because human monitoring of the network is less efficient than automated capabilities, a DNS protection solution should provide real-time analytics that closely monitors the network state and examines DNS queries to detect abnormal patterns, enabling users to make informed security decisions.
- DNS protection should be a stand-alone solution incorporated into DNS infrastructure without additional changes to the existing network architecture.
- Finally, because detection is only a portion of the security process, DNS protection tools should have the ability to automatically terminate malicious queries and prevent the execution of malware contained in DNS communication. The result is an endpoint that is isolated and unable to complete data exfiltration activities.
As with other aspects of information security, DNS protection is a challenge that can be addressed by current technology when it is properly applied. Businesses should be aware of the risk of DNS data exfiltration and take steps to prevent this increasingly common type of information theft. By adopting intelligent, capable tools and remaining vigilant regarding current threats, organizations can ensure that their network is free from covert data theft and remain safe and profitable.
Craig Sanderson has been in the network security industry for 17 years. He has had a number of roles in pre-sales consultancy, security architecture, product management, and business development. He is now senior director of product management for Infoblox’s security products.
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.