Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks


Threat actors have been observed employing DNS tunneling to track the delivery of spam emails and victims’ interaction with malicious domains, as well as to scan victims’ networks, Palo Alto Networks warns.

Used for roughly two decades, DNS tunneling is a covert communication method that allows attackers to transmit malware and data to and from victim networks using a client-server model.

As part of a DNS tunneling attack, the threat actor registers a domain with a name server pointing to the attacker’s server on which tunneling malware runs.

The attacker then infects a computer with malware and uses requests to the DNS resolver to connect to the attacker-controlled server and establish a DNS tunnel through the resolver, bypassing conventional network firewalls and staying undetected, as organizations do not usually monitor DNS traffic.

Read more…