Page tree


The DNS protocol is increasingly used as a pathway for data exfiltration through DNS tunneling attacks. DNS tunneling involves tunneling another protocol through port 53 — often not inspected by firewalls (even the next-generation firewalls) — by malware-infected devices or malicious insiders. There are a number of tools available for tunneling over DNS for a common motivation of bypassing captive portals for paid Wi-Fi access. A free tunneling application released under the ISC license for forwarding IPv4 traffic through DNS servers is one example of the software used in this kind of attack.

As illustrated in Figure 43.1, sensitive information such as credit card numbers and company financial can be stolen either by establishing a DNS tunnel from within the network or by encrypting and embedding chunks of that data in DNS queries. Data is decrypted at the other end and put back together so valuable information can be stolen and misused by malicious attackers.
Figure 43.1 Data Exfiltration

You can use the following features to specifically target DNS tunneling traffic and minimize the risk of DNS data exfiltration:

    • Anti-DNS tunneling threat protection rules: These rules detect signature-based payload encoding techniques, such as Base32, Base64 and suspicious label lengths, commonly used by tunneling products such as OzymanDNS, Iodine, DNS2TCP, and SplitBrain. For more information about the threat protection rules, refer to the Threat Protection Rules document available on the Infoblox Support site.
    • Infoblox Threat Insight: Infoblox employs streaming analytics to study DNS statistics and create algorithms to identify DNS tunneling traffic. o further defend your system against DNS data exfiltration, Infoblox Threat Insight detects and mitigates DNS tunneling traffic by analyzing DNS queries and responses. Infoblox Threat Insight constantly evaluates incoming DNS traffic and develops a systematic pattern in defending against illegitimate DNS tunneling traffic and constantly updating blacklists of known malicious destinations. For information about how to configure Infoblox Threat Insight, see About Infoblox Threat Insight.

This page has no comments.