Solution Briefs

DNS Tunneling

Issue link: https://learn-umbrella.cisco.com/i/775902

Contents of this Issue

Navigation

Page 0 of 2

Solution brief Cisco Umbrella DNS Tunneling How to stop attackers from using port 53 for data exfiltration and command & control callbacks Cisco Umbrella global network: In 2006, we started building the world's largest internet security network to acquire global intelligence. Today, over 90 million daily active users across 160+ countries point their DNS traffic to Cisco Umbrella — that gives us visibility into more than 175 billion internet requests daily. Address your DNS blind spot by enforcing security over port 53 both on and off-the corporate network. Cisco Umbrella analyzes internet activity to uncover known and emergent threats and protects users anywhere they go. Together, these capabilities power Umbrella to predict and prevent DNS tunneling attacks before they happen. What is DNS tunneling? DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. For example, DNS tunneling is often used as a login mechanism for hotspot security controls at airports or hotels to access internet. DNS tunneling is also used by antivirus to look up signatures for files. However, there are also malicious reasons to use DNS Tunneling VPN services. • Data exfiltration- attackers encode data in outbound DNS requests to specialized infrastructure. These queries are decoded and joined to reconstruct the exfiltrated data. • Command and control callbacks- attackers send commands in DNS responses to compromised systems, allowing remote management of an infected device. • Guest WiFi abuse- users install a free DNS tunneling tool, such as Iodine or Tunnel Guru, to bypass the network authorization infrastructure in order to obtain free internet access in hotels and airports (see figure 3) • IT policy avoidance- users install a free DNS tunneling tool, such as Iodine, to bypass IT policies and/or monitoring. (see figure 3) © 2019 Cisco and/or its affiliates. All rights reserved. Is it a theoretical threat? No. Since 2011, security researchers have published several papers and blogs on attacks (e.g. "Morto", "Feederbot") that use DNS tunneling to add stealth to command & control (C2) callbacks. Since 2016, "FrameworkPOS" — a popular malicious payload for point-of-sale systems — has used DNS tunneling to exfiltrate credit card data. How does it work? Attackers know that enterprise network defenses allow DNS traffic over port 53. So DNS requests are manipulated to exfiltrate data from a compromised system to the attacker's infrastructure. And in some cases, DNS responses are manipulated for C2 callbacks from the attacker's infrastructure to a compromised system. The next page provides a step-by-step explanation. What are examples of DNS abuse? The following are the most common types of DNS abuse:

Articles in this issue

view archives of Solution Briefs - DNS Tunneling