Deep dive into DNS Tunneling

Gupta Bless
5 min readOct 8, 2023
Source

Introduction

Cybercriminals employ this method to circumvent security measures. With the help of the DNS protocol, the attacker in this case was able to send data that has nothing to do with DNS queries or responses. Attackers are able to exfiltrate sensitive data from the server after they have bypassed security safeguards.

It’s perfectly acceptable to say something like “my friend saw you at the park” in everyday conversation. But if we don’t want anyone to see our request directly, we can include some information in our usual message, making it look like a message about a meeting in the park. We employ a DNS tunnel to remain anonymous while the attacker steals sensitive data from within the target firm. DNS tunneling is analogous to sending encrypted communications that appear to be harmless chatter. DNS is designed to keep secrets.

How to bypass network restrictions in DNS tunneling

Source

Sometimes we find that certain online resources are restricted in public settings like schools and offices. In response, administrators at places like companies and schools have begun implementing firewalls and content filters to restrict access to such websites. The following are some of the potential benefits of DNS tunneling in facilitating access to these resources.

To get around the ban, our machine makes a DNS request to a DNS server, asking it to convert “facebook.com” into an IP address. This is a core feature of DNS servers, but the IP address that is returned is then blocked by the network’s firewall. To access the website, we can now submit a request to the DNS server, but instead of sending a standard request, we can send a request that contains encrypted data relating to the website, such as the IP address of a proxy server. So when a request comes in for validation, it looks like a normal request, but it actually contains instructions to visit the restricted domains via the proxy. DNS servers, upon seeing the proxy server’s IP address, will usually allow the request to proceed via it because it appears to be a valid DNS query. Users are now able to gain unrestricted…

--

--

Gupta Bless

Security enthusiast working to secure web for others.