Fortinet Inc.

07/01/2020 | Press release | Distributed by Public on 07/01/2020 11:36

Into the Rabbit Hole – Offensive DNS Tunneling Rootkits

FortiGuard Labs Threat Research Report

Affected platforms: Windows 7, Windows 10, Windows Server 2016
Impacted parties: Windows 10 version 1809 + and Windows Server version 1903 +
Impact: Command and Control & User-Privacy Settings Violation
Severity level: Informational
Other: Other systems that use DNS may be affected if client-side exploit is available

At FortiGuard Labs, we see numerous evasion techniques that attackers use to bypass egress filtering solutions and establish command and control (C&C) within organizations. These targeted organizations typically have firewalls, IPS systems, end-point detection, and remediation protection all within their organization.

In this blog, we will discuss one of them which is DNS tunneling and how it works. We will look at well-known DNS tunneling attack rootkits and how to configure them to test the security and detection capabilities in your environment. Lastly, we will review some industry best practices and show how the FortiGuard Labs Threat Intelligence Services embedded in our products mitigate this attack.

DNS Tunneling occurs when attackers encode and embed data and protocols in DNS traffic, primarily to achieve command and control inside an organization's protected network. In addition to command and control, attackers also use DNS tunneling to deliver and distribute malicious payloads, such as remote access trojans and ransomware, to victim computers inside an organization.

What is DNS?

Domain Name System, or DNS, is essential to how the Internet works, it is the 'phone book' of the Internet. Most people cannot remember to type in the IP address in their web browser to get to Google. DNS maps these IP addresses to (in often cases) human-readable domain names. In this case, a user can easily remember rather than typing in the IP Address of

How DNS Tunneling Attacks Work

DNS Tunneling attacks take advantage of almost every device on the internal network behind a firewall that allows outbound access to resolve DNS requests. One of the reasons DNS Tunneling attacks work is that organizations often do not filter those outbound DNS requests.

The attack itself adds malicious payloads and commands to a trusted DNS. Additionally, compromised hosts don't actually need external Internet access to be attacked. If they simply have access to internal DNS servers, and if those internal DNS servers have access to the Internet, in some cases this is enough to enable the machine to receive DNS responses with malicious data. This means attacks to machines that are normally considered to be 'air gapped,' but still allow DNS queries to a DNS server with external access, may be vulnerable to this type of attack.