Attackers have escalated their exploitation of DNS traffic beyond traditional methods like DNS tunneling. Recent research by Palo Alto Networks’ Unit 42 reveals new tactics where DNS tunneling is used not only for command-and-control (C2) communication but also for tracking victims’ activities and scanning their network infrastructure.
Traditionally, DNS tunneling has been employed to sneak malicious data past network defenses by embedding it within DNS traffic. This covert communication method allows attackers to hide their activities among legitimate traffic, making detection difficult. By utilizing UDP port 53, commonly allowed through firewalls, attackers further obscure their communications. They encode their data within DNS queries to make it seem innocuous.
In the new approach identified by Unit 42, DNS tunneling is repurposed for tracking victims’ behavior and scanning their networks. Attackers encode information about specific users into subdomains of DNS queries, effectively tracking their interactions. In one campaign, dubbed “TRkCdn,” attackers targeted potential victims by embedding tracking information in DNS queries, likely to monitor email interactions. Another campaign, “SpamTracker,” similarly used DNS tunneling to track spam delivery.
Additionally, DNS tunneling is being used for network scanning, identifying vulnerable open resolvers and exploiting them for malicious purposes. This “SecShow” campaign aims to identify and exploit open resolvers, mainly targeting organizations in education, high tech, and government sectors.
To counter these threats, Unit 42 suggests controlling resolver services to accept only necessary queries and keeping resolver software updated to prevent exploitation of vulnerabilities. However, experts like Roger Grimes emphasize the importance of preventing attackers from gaining initial access through measures like patching software vulnerabilities and mitigating social engineering attacks.