As a Sales Engineer at Infoblox, I’ve had the opportunity to meet thousands of IT and security pros at Fortune 1000 companies. It always amazes me how little attention is given to the DNS protocol as a vulnerable protocol. More importantly, it is also surprising to see the lack of awareness and/or recognition on this issue, though many an attack (e.g., DNS Messenger) in the recent past have been exploiting DNS servers. Even though there has been a huge rise in the use of this protocol as a covert channel and an exploitable vulnerability, many IT departments are still debating whether they should take any security measures to stop DNS attacks, and if so what kind of measures to take. This uncertainty can result in lack of action. Instead they may decide to protect other parts of the stack such as end-points where the impact of the threat is clearer.
While most corporate IT practitioners attempt to wrap their heads around securing the enterprise from DNS exploits, more and more nefarious entities are writing botnets and malware, to take advantage of DNS and using other means – such as DNS tunneling – to exploit this unsecured entry point into the network.
Experience at a Casino
The best part of my job educating customers on what they are not able to see is happening on their network with DNS. Especially, when they see the data related to exfiltration and DNS tunneling. I was recently working on a Proof of Concept (POC) in Las Vegas at a casino. The customer had almost all the known security measures, such as firewalls (Palo Alto Networks), SIEM (QRadar), IDS/IDP (Source Fire) and client based incident response (Carbon Black). However, they were particularly interested in DNS Tunneling and Data Exfiltration. The aim of the POC was to showcase the benefit of using Infoblox security measures to protect recursive DNS traffic (lookups out to the Internet).
As a DNS lookup is the first thing that happens when a user within the company needs to communicate with the Internet, it is a very good first line of defense for stopping malicious traffic and command and control communications. We identified many malware C2 (command and control) sites immediately that their other Cybersecurity measures were not finding, but the real fireworks started when we turned on our DNS behavioral analytics and started finding DNS tunnels.
NOTE: DNS tunnels are advanced covert tactics that use the DNS protocol as a covert communication channel for moving data in and out of an organization undetected by security measures. This technique essentially hides the nefarious activity by using a prepackaged DNS tunnel software – with a preconfigured software including a client and server. These can be easily downloaded from internet – most commonly known are DNSCAT, DNSCAT2, SlowDNS and Iodine. The other method is easier and simpler – simply hiding the data in the DNS query.
The security department wanted to know why their other equipment was not catching these “query based” tunnels. We validated that the DNS tunnels were real and that the workstations being exposed had a browser based add-on that was displaying a marketing banner and looked like it was reporting back demographics and purchasing activity. We blocked the tunnel traffic and they were happy. They ended up putting our DNS security solution in their data centers as well as the 12 sites they could not re-route to data center due to network connectivity.
In the last year, I’ve seen internally launched DNS reflection attacks orchestrated by botnets that took down a network, undetected DNS tunnels being used for gaming devices and one of my colleagues helped an oil company stop Anonymous (Anonymous is a loosely associated international network of activist and hacktivist entities) as they attempted to use DNS to steal (exfiltrate) data out of the customers’ network.
DNS is one of the most useful and necessary protocols on the planet. It’s an infrastructure service and it is essential to most companies, but unprotected it can be used as a powerful weapon to bypass all security measures. Don’t let your DNS traffic go unexamined – firewalls and endpoint security are very important – but they will not protect your data from unprotected DNS traffic!