Mar 30 2022

DNS Tunneling vs DNS Spoofing: What Are These Attacks & How Can Agencies Defend Them?

The shift to zero trust will require agencies to encrypt Domain Name System traffic, but they should also be working to defend against other DNS-related cyberattacks.

The Office of Management and Budget’s final guidance on agencies’ shift to zero-trust architectures for cybersecurity, released in January, contained a few notable updates from the draft guidance issued in 2021.

As FCW reports, one of the new requirements OMB placed on agencies included “encrypting DNS requests and HTTP traffic, while subjecting all applications to rigorous testing and vulnerability assessments.” DNS stands for Domain Name System, a protocol that translates website domain names into IP addresses so that browsers can load internet resources. DNS is a foundational element of the modern internet, and DNS traffic is among the most trusted kinds of web traffic. It also is therefore a ripe target for cyberattackers.

Indeed, the guidance says that agencies must “resolve DNS queries using encrypted DNS wherever it is technically supported” and that agency DNS resolvers must support standard encrypted DNS protocols (DNS over HTTPS or DNS over TLS) and must use them to communicate with upstream DNS resolvers. A DNS resolver is a server that sends requests for IP addresses to root and top-level domain servers.

Two of the major concerns that cybersecurity experts have around DNS are DNS spoofing and DNS tunneling, different forms of an attack in which malicious actors seek to leverage the role DNS traffic plays in the functioning of the internet to stage cyberattacks. As agencies work to implement their zero-trust architectures before a Sept. 30, 2024, deadline, they will need to both encrypt DNS traffic and protect networks from harmful DNS exploits.

Click the banner below to get access to exclusive cybersecurity content by becoming an Insider.

What Is DNS Spoofing?

Like many early elements of the internet, DNS was not designed with security in mind. Still, DNS security is becoming more crucial.

Most DNS attacks occur when users think they are going somewhere safe on the internet and enter their credentials. This is the vulnerability that DNS spoofing seeks to exploit.

As a Proofpoint webpage notes, DNS spoofing is “the process of poisoning entries on a DNS server to redirect a targeted user to a malicious website under attacker control.”

This typically — but not always — happens on public Wi-Fi networks, Proofpoint notes. However, DNS spoofing can occur in any situation “where the attacker can poison ARP (Address Resolution Protocol) tables and force targeted user devices into using the attacker-controlled machine as the server for a specific website.”

RELATED: Follow these three tips when adopting zero trust.

“For example, let’s say a user wants to access a commonly used website. That person would type the website address into the browser bar,” Steve Thamasett, a senior security solutions architect at CDW•G, has written on FedTech. “A malicious actor could poison the cache of the DNS server where the user’s browser is connecting. The user’s browser bar would say the correct website, but he or she would actually be connected to a malicious site that delivers malicious content or harvests credentials.”

Such attacks can trick users into installing malware or divulging sensitive information, Proofpoint notes. “Since DNS is a critical part of Internet communication, poisoning entries give an attacker the perfect phishing scenario to collect sensitive data,” the company notes. “The threat actor can collect passwords, banking information, credit card numbers, contact information, and geographic data.”

And, importantly for federal agencies, Proofpoint notes that “with enough stolen information, an attacker could open other accounts under the targeted victim’s name or authenticate into legitimate accounts to steal more information or money.”

MORE FROM FEDTECH: Learn how to get your agency started on the road to zero trust.

What Is DNS Tunneling?

Since DNS traffic is widely trusted on the internet, many organizations “allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their website,” cybersecurity firm Check Point notes on its website.

DNS tunneling is a type of attack used to tunnel malware and other data through a client-server model, according to a blog from Palo Alto Networks.

First, the attacker registers a domain, or new website, and that domain’s name server points to the attacker’s server, where a tunneling malware program is installed, according to Palo Alto Networks.

From there, the attacker works to “infect a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver.”

From there according to Palo Alto Networks, the DNS resolver “routes the query to the attacker’s command-and-control server, where the tunneling program is installed.”

DIVE DEEPER: How can network behavior monitoring enable zero trust?

Thus, a connection is created between the target computer and the attacker through the DNS resolver. “This tunnel can be used to exfiltrate data or for other malicious purposes,” the blog says. “Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.”

In DNS tunneling attacks, Check Point notes, “inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests.”

“This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites,” according to Check Point. “Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.”

EXPLORE: Create a zero-trust environment among users as well as on your network.

How Can DNS Spoofing and Tunneling Be Prevented?

Agencies can take a variety of approaches to defend themselves against DNS spoofing and tunneling.

DNS security tools can add a “cryptographic signature to the entries required by resolvers before they accept DNS lookups as authentic,” Proofpoint notes, regarding spoofing defenses.

Encrypting DNS, as agencies are required to do in the shift to zero trust, can also help.

“Standard DNS is not encrypted, and it’s not programmed to ensure that changes and resolved lookups are from legitimate servers and users,” Proofpoint says. DNS security “adds a signature component to the process that verifies updates and ensures that DNS spoofing is blocked.”

Agency endpoints are going to be required to support encrypted DNS in “supporting applications (for example, web browsers) and at the operating system level wherever these features are available,” according to the zero-trust guidance.

“If agencies use custom-developed software to initiate DNS requests, they must implement support for encrypted DNS,” OMB adds. “Agencies should explicitly configure endpoints to use agency-designated encrypted DNS servers, rather than relying on automatic network discovery.”

LEARN MORE: How will agencies approach zero trust in 2022?

Agencies can continue to identify and log the contents of encrypted DNS requests “by accessing this information at the agency’s designated DNS resolvers.”

To guard against DNS tunneling, agencies should be on guard for several factors, including unusual domain requests, requests for an unusual domain inside an agency and high DNS traffic volume.

“Protecting against DNS tunneling requires an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration,” Check Point notes. “Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic.”

Agencies should also leverage threat intelligence tools from vendors such as Fortinet, the company notes in a blog post. Threat intelligence can help agencies identify previously discovered DNS tunneling attacks and points of origin.

“Some solutions, such as Cisco Umbrella, have an agent that can go on users’ endpoints, pushing the security controls down to the device,” Thamasett says. “Agents can report back on traffic and behavior, so depending on the maturity of an agency’s IT security team, they can appropriately analyze such data and put together a holistic picture of their remote workforce.”

matejmo/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT