DNS Tunneling
1. Domain Name System (DNS) tunneling is performed by establishing an unintended communication channel to a command-and-control (C2) server to exfiltrate data.
Related Term: Configuration Exploitation
|
2. The Domain Name System (DNS) enables people and machines to communicate across the internet. DNS essentially translates human-friendly domain names into machine-friendly IP addresses, and vice-versa. DNS tunneling is characterized by establishing an unintended communication channel to a C2 server and/or to exfiltrate data. This type of tunneling is often conducted on networks with strict security controls, as the pervasiveness of DNS means it is often allowed on highly restrictive networks. The DNS protocol was never intended for data transfer (let alone for nefarious C2 activities), and as such, it is often forgotten about from a network security/monitoring standpoint. Manipulating DNS is nothing new, and is certainly something we have seen in various engagements over the years; nonetheless, it remains a lucrative means for miscreants to siphon o sought-after data. Because of this, we consider DNS tunneling as a lethal data breach scenario.
Source: (Verizon, 2016)