DNS Tunnelling: The business case for DNS security all in one data exfiltration demo

Your Domain Network System (DNS) is an essential tool to keep your business running. Unfortunately, it’s also a tool to breach your business and steal data. For example, 91% of malware uses DNS to carry out attacks.

What the hack is DNS?

Most enterprises have multiple security technologies such as next-generation firewalls and intrusion-detection and prevention systems. Yet hackers can still find multiple pathways to steal data, but the one that is often unknowingly left open is the DNS, or Domain Name System (DNS).

For those of you who don’t know, DNS is a comprehensive translation system used to search the Internet. DNS is the term used to describe a system that assigns user-friendly domain names to unique 16-digit IP addresses. Which is why experts sometimes refer to DNS as the Phonebook of the Internet. It translates large amounts of undecipherable data into words and phrases to provide clear and accurate search results.

Why the hack isn’t it secure?

Because DNS is not intended for data transfer, people can overlook it as a threat for malicious communications or for data exfiltration. Many organisations have little or no monitoring for DNS even though it is one of the top attack vectors for cyber criminals. Instead, they focus resources on web or email traffic where attacks often take place.

Port 53 manipulation, commonly known as DNS tunnelling is one of the ways the vulnerabilities in DNS are exploited. For over a decade, cyber criminals have been looking for ways to exfiltrate data via DNS.

What the hack is DNS Tunnelling?  

DNS tunnelling enables cybercriminals to insert malware or pass stolen information through DNS, thereby using DNS as a covert communication channel to bypass firewalls. While there are semi-legitimate uses of DNS tunnelling (eg Spotify), many instances of tunnelling are malicious. There are several off-the-shelf tunnelling toolkits readily available on the Internet, so that hackers don’t always need technical sophistication to mount DNS tunnelling attacks. You can discover if there are any signs of malicious DNS tunnelling.

In the 2016 Infoblox Security Assessment Report, Infoblox evaluated the DNS traffic of 250 enterprises and found a shocking 40% to have evidence of DNS Tunnelling. That’s nearly half of the enterprise networks that were tested by Infoblox returning evidence of a threat that can mean active malware or ongoing data exfiltration within the network.

How the hack are the hackers exfiltrating data from your network?

DNS is increasingly being used for data exfiltration either by malware-infected devices or by rogue employees. DNS is not only used for data leakage, but also to move malicious code into a network. This infiltration is easier than you think.

Hackers can prepare a binary, encode it, and transport it past firewalls and content filters via DNS into an organisation’s network. Hackers send and receive data via DNS—effectively converting it into a covert transport protocol.

Infoblox have a Data Exfiltration Portal that demonstrates how easy it is to exfiltrate data from your network using DNS.

Here are 3 simple steps that show how valuable data can leave a target network.

Step 1: An infected endpoint has access to company data.

Step 2: Malware encodes the data, breaks it into chunks and sends it out as DNS queries.

Step 3: The encoded queries are logged and re-assembled on the far end.

What the hack can you do about it?

Infoblox have a DNS Exfiltration Demo Portal available. The portal allows an organisation and their security team, with the help of an account manager, to demonstrate and test their own network to see if sensitive data can be exfiltrated without any of their existing security infrastructure noticing. Find out how secure your DNS is and register onto Infoblox’s Data Exfiltration Demo Portal today.


To learn how Infoblox can help prevent data exfiltration over DNS, read this white paper and speak to an Infoblox expert to learn more – Andy.Lawrence@kitedistribution.co.uk