DNS Tunnelling

25 Aug

A recent project at Nexor required us to look at the challenges of providing access to the DNS from a secure environment. It reminded me of the issues related to DNS tunnelling.

Heatpipe tunnel copenhagen 2009

DNS tunnelling enables a user to run a full TCP/IP stack over the top of the DNS protocol. This is especially useful when a firewall is blocking outbound ports.

DNS tunnelling is not new, and surprisingly simple to do. For example, the following DNS query:

secret_data_sent_via_dns.infoleak.nexor.com

Will pass the message ‘secret_data_sent_via_dns’ to the server infoleak.nexor.com (data leaving network). The server might respond:

Response.infoleak.nexor.com. 0 IN TXT
Message received – thanks

Thus two way data communication has occurred. Once you have two way communication, you can run any communication protocol of your choice, including TCP/IP.

Sadly DNS tunnelling means a firewall is now pretty much useless as a tool to control the network traffic that leaves a business. As an attacker, once you have managed to get software to execute on the inside of a firewall, you can use the DNS to set up a communication tunnel to get data out (or more malware in).

Is this a problem that concerns your business? If so, contact Nexor to find out how we can help solve the problem.

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: