How the hack? Data exfiltration through DNS

I don’t understand how someone can use DNS to exfiltrate Data from inside my network through my Firewall? It’s not possible… Is it?

Surely all DNS is just a lookup to determine the destination of a subsequent communication request, be that a website or MX record for email; the request itself contains no critical or private data.

On the surface, that’s all true, but the bad guys are cunning; they corrupt a critical service and twist it to their own ends. DNS is increasingly being used for data exfiltration, either by malware-infected devices, or by rogue employees. DNS is not only used for data leakage, but also to move malicious code into a network. This infiltration is easier than you think. Hackers can prepare a binary, encode it, and transport it past firewalls and content filters via DNS into an organization’s network. Hackers send and receive data via DNS—effectively converting it into a covert transport protocol.

Like most effective tools, the process is surprisingly simple; here’s a simplified example:

Step 1:  An infected endpoint gains access to company/personal data, but how to get it out?

Well, practically all environments allow DNS requests through their Firewalls; that’s how the internet works.

Step 2:  The infected endpoint encodes the data, breaks it down into chunks and sends each chunk out to a specific destination DNS server as simple DNS queries.

Let’s say, for example, it’s credit card details:

MjhdcmjdhcJohncjhja.badguy.com

Mnmndbbvc0doecjhja.badguy.com

Mhhhdsfsghc4429jhja.badguy.com

Vhvhdchjhc5527chjha.badguy.com

Hgdtruhhgc1179chjha.badguy.com

Reteyuejhc6643chjha.badguy.com

Trgdjdggdgc0222chjha.badguy.com

Erethshjdgc0987chjha.badguy.com

All these requests pass unhindered through the firewall; they are, after all, just DNS queries.

Step 3: The encoded queries are logged on the destination server and recompiled and we can see:

John doe, 4429552711796643, expiry date 0222 and CVV number 987

One credit card exfiltrated; bear in mind your firewall will see thousands of such requests hourly so, if the infected machine has access to a database of such information, then slowly but surely that entire database can be exfiltrated and nothing will stop it.

As I said before, this is a simplified example, but the principle is true and if it works for exfiltration, then why not manipulate the DNS response and have code infiltrate your network in a similar way?

What can I do to protect against this?

Some security solutions claim to offer protection for DNS, but the truth is that they are limited in what they can and cannot protect against. Infoblox BloxOne Threat Insight is a patented technology that detects and automatically blocks attempts to steal intellectual property via DNS, without the need for endpoint agents or additional network infrastructure. It uses real-time streaming analytics of live DNS queries and machine learning to accurately detect presence of data in DNS queries. Available as an optional module with Infoblox DNS Firewall or Infoblox Advanced DNS Protection, Threat Insight provides protection against both sophisticated data-exfiltration techniques and off-the-shelf tunnelling toolkits. Infoblox is the only vendor to offer a DNS infrastructure with built-in analytics to detect and block DNS tunnelling and data exfiltration.

Find out 10 reasons why you need BloxOne Threat Defense by downloading the infographic below.