With DNS tunneling, another protocol can be tunneled through DNS. Originally, tunneling tools were made for tunneling to bypass paid WiFi services. If a paid WiFi service allowed outbound DNS, a user could encode IP traffic into DNS traffic to allow internet access without paying for it. However, attackers learned that they could also tunnel data through the DNS protocol, which can be a fantastic tool when exfiltrating data out of a compromised network.Many companies will not look at their DNS traffic for data leaving the company, so some very large amounts of data have been stolen from companies in the past by using this method. For example, the stolen credit card data from Sally Beauty was exfiltrated using DNS traffic using a variant of FrameworkPOS (used in the Home Depot breach).
By monitoring DNS traffic in your network, not only can you find these warning signs of a compromise in your network, but you can learn about sites that users on your network are going to without using a proxy service. With the Internet of Things becoming more popular, you'll also be able to verify that these devices are connecting with their intended targets.
Are you tracking DNS traffic in your environment? Why or why not? Let me know in the comments below!
