DNS has for a long time been used as a way of sending data out of a network, largely due to how open port 53 tends to be on any network. All firewalls and in-line perimeter systems leave DNS well alone due to the fact that networks need access out on that port. DNS is therefore perfect as a data theft method, it’s always open, and it can be misused. As a result, there’s a reasonably good chance that exfiltrating data over DNS won’t be detected by most enterprise networks. Granted, you’re unlikely to see fast data transfers using the protocol, but many attacks are willing to take the increased stealth as a trade-off.
The most effective way of defending against this type of attack is by using proxies and making sure you can control DNS traffic and have an opportunity to stop suspicious traffic being sent. In most large network environments this isn’t possible and whitelisting safe domains is ultimately too restrictive, so data theft needs to be detected even when travelling through a normal, open, port 53.
But what can you do to protect against data leaving your network via DNS tunnelling? There are two ways to detect it: Policy or Behaviour.
Policy and Signatures
Blocking DNS activity based on an existing policy is very much the traditional approach to protection, understanding where the traffic is being directed, checking against a blacklist, and blocking as necessary. Some major perimeter protection systems have this type of protection by default, but the ease of setting up DNS servers means that this list will always be playing catch up, leaving this system vulnerable to targeted attacks.
If you have network monitoring that includes an inspection system that looks at the content leaving via DNS, then you may be able to effectively profile the traffic that leaves your network over port 53. DNS misuse may be very obvious at high data rates, however it is more difficult to find at lower data rates and therefore having a way to look for misuse of DNS should be a routine exercise for analysts monitoring a network.