Suspicious DNS activity runs rife Nearly half (40 per cent) of enterprise networks tested by security appliance firm Infoblox show evidence of DNS tunnelling. DNS tunnelling is symptomatic of active malware or ongoing data exfiltration within an organisation’s network. Infoblox’s latest quarterly security assessment report (pdf) also measured the prevalence of …
Infoblox and its salesmen have a long history of FUD on alternative DNS designs (anycast, etc) and implementation as well as using self-serving reports to advertise some of their features. I will take this one with enormous dose of salt and unless they show primary data which has led them to the conclusion I will simply ignore it.
It appears possible that up to 40% of tested networks have had some DNS tunneling. However... it's a stretch to say that this is, of itself, evidence of malware activity. It may well be merely that someone on the inside of the network wants access outside without the network admins knowing. There are many reasons why someone might want to do that, ranging from 'I want to collect personal email without letting company snoopers know' to 'I want some porn while at work'. Other possible, non-malware, reasons are left as an exercise for the student,
I don't do DNS tunneling. When I don't want the corporate net to know what I'm doing, I connect using the hotspot built into my iPad, over the cell phone net (T-Mobile, in this case) and don't go near the corp net. They have no idea what I'm doing as it never touches their network. Certain elements have been known to squeal that this is a security problem. I have been known to ignore them. i am, for example, connected via the hotspot right now; el Reg has been designated a hacker website and blocked on the corp net. (As to why I'm at the office at 05:46, that's a whole other story.) (Yes, really. El Reg is a hacker site. So is CNET. I'm not making this up. We got idiots in certain parts of higher-higher..)
W protect against it at the bank where I work after a pen test years ago used it and managed to get 3 M/bps throughput. DNS tunneling, ICMP tunneling, SSH tunneling, you name it; they're all real threats. It's also a data exfiltration channel used by malware. A fully split DNS is the only way to truly handle this one, though. If internal systems don't need to query DNS servers on the Internet because they go through a proxy server, then don't let them do it. Problem solved.
When IPv6 starts making its way into the enterprise networks is when the real fun starts.
Not only can each device have its very own IP address (read: directly addressable from the outside instead of having to pass at least some NAT barriers), but IPv6's extensible header facility appears almost *designed* to create covert channels.
If you start implementing IPv6, be aware that very little expertise exists in firewalling it. You may want to get hold of a Japanese network engineer - at least in Japan, they've been using it for years.
(less worried about DNS - only my internal DNS has rights to port 53 :) )
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
