Jump to content
Sign in to follow this  
kingwah

DNS Tunneling

Recommended Posts

kingwah

Any preventive and detective controls can effectively deal with DNS Tunneling?

Share this post


Link to post
bbreer

If you're using Bro or some other logging tool you can use analysis of the DNS logs to try to detect DNS tunneling. Most of this analysis depends on having accurate baselines on which to base your analysis and spot anomalies.

1. Deviations from the typical amount of DNS traffic per host

2. Size of DNS queries and responses

3. Do the host names being queried seem like they're random or computer generated?

4. If a host is asking to have an FQDN resolved then that typically means it wants to talk to that host. With DNS tunneling there would typically be no follow on connection (after the DNS messages) to the IP resolved in the DNS request because with DNS tunneling the DNS messages are not the means to an end but an end in itself.

Internal hosts should only be allowed to make DNS requests to the local DNS server. The only DNS traffic allowed out to the internet should be from the local DNS server. There should be a firewall rule to enforce this and an IDS signature so you're notified of any violation attempts.

Share this post


Link to post
kingwah
On 1/27/2019 at 4:09 PM, kingwah said:

Any preventive and detective controls can effectively deal with DNS Tunneling?

Thanks a lot,  @bbreer, your points are very good. Very inspiring.

Share this post


Link to post
sandramartinez00110

One disadvantage of using a tunneling service through DNS is that it has been shown that the maximum amount of bandwidth you can achieve is around 110 KB/s (Kilobytes per second) or 880Kbps (Less than the speed of a T1, or a little bit more than that of the speed of a 768Kbps DSL link) with latency of 150 ms. In addition, there is nothing wrong with DNS tunneling; like all these old protocols that were designed 25 years ago, they deserve to get exploited for today’s use of the Internet. The protocols that are used for today’s Internet communications need to be more secure, here we are in 2016 and still using protocols that are considered old school! I think we are getting better with the design of protocols and thinking about security first than later.

ONE SIDE NOTE: Make sure you are reading the terms and service of a provider network that you are going to be tunneling your data over; you could be prosecuted for theft of service, just FYI!

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×