Stop Attackers from

Using DNS Against You

Any modern organization requires the Domain
Name System (DNS) to run its business, ­regardless
of industry, location, size, or products. DNS is
a protocol that translates user-friendly ­domain
names, such as www.paloaltonetworks.com,
into machine-usable IP addresses—in this case,
199.167.52.137. Without DNS, we’d have to
­memorize random strings of numbers, which
our brains aren’t well equipped to do. DNS is
­fundamental to every single modern organization,
all over the world. Network operators cannot block
DNS traffic, and firewalls have to let it through.
Networks need DNS to function properly.

Strata by Palo Alto Networks | Stop Attackers from Using DNS Against You | White Paper 1
Many security professionals don’t realize the ease and preva- Malware Using DNS for C2
lence of DNS abuse by attackers. In fact, many security teams This is one of the most typical ways attackers take advantage of
don’t inspect DNS traffic for threats because they assume DNS. Attackers use common network protocols, including DNS,
queries sent over DNS protocol and port 53 are benign. Other to spread malicious code. Malware can be sent to users through
organizations don’t inspect DNS traffic because the sheer vol- online ads, malicious URLs in emails, or other means. Once a
ume of that traffic is overwhelming, and looking for a sign of user’s computer is infected, the system sends a DNS request
something malicious in that traffic is like looking for a needle back to the attacker’s control server. In this way, the infected
in a haystack. This takes a great deal of time and resources— computer becomes a bot the attacker can control. The malware
often too great an investment for organizations, especially can then steal personal or financial data and spread very quickly
those that assume DNS does not pose a significant threat. by issuing instructions to scan the network for other computers.
DNS is a massive and often overlooked attack surface that can Recently, the hacker group WINDSHIFT launched a ­cyberattack
be used for malware delivery, command and control (C2), or that used DNS for C2 against government departments and
data exfiltration. Adversaries take advantage of the ubiqui- critical infrastructure in the Middle East. To learn the technical
tous nature of DNS to abuse it at multiple points of an attack. details and timeline, read Unit 42’s research on the ­WINDSHIFT
According to Palo Alto Networks Unit 42 threat research team, attacks.
almost 80% of malware uses DNS to initiate C2 procedures.
Attackers establish reliable command channels that are diffi- Malware Using Domain Generation Algorithms
cult to take down or identify since DNS is such a reliable way Effective and growing quickly, domain generation algo-
to maintain a connection to DNS servers. As adversaries in- rithms (DGAs) randomly generate large numbers of slight-
creasingly automate their attacks, it becomes almost impos- ly different domain names. A DGA can, for instance, create
sible to identify and stop those threats. thousands of domains in a day that are each a slight varia-
tion of www.bigbadguys.com. Attackers developed DGAs so
that malware can generate these domains and use them for
C2. Unit 42 has observed that 18% of malware uses DGAs to
automatically create thousands of C2 domains every day—of
which attackers may use one—so that defenders can’t block
them. ­Malicious domains controlled by attackers enable rap-
id movement of C2 channels from point to point, bypassing

80%
traditional security controls like blacklists or web reputation
filtering. Infected computers contact some of these new do-
of malware uses DNS main names to receive commands and updates. A key aspect
to initiate C2 procedures of DGAs is that, even though thousands of domains can be
that can be used to steal generated in short order, not all of them need to be registered.
data and spread malware DGAs offer an effective means for attackers to hide the loca-
tions of their C2 centers, which they use for financial fraud,
Figure 1: Unit 42 research on DNS traffic identity theft, and other malicious activities. To learn more
about DGAs, read Unit 42’s DGA threat brief.

At the same time, many security teams lack visibility into

DNS traffic and how threats use DNS to maintain control of
infected devices. Security teams are under pressure to enforce
consistent protections for millions of new malicious domains
while keeping up with advanced tactics like DNS tunneling. In
addition to how prevalent and easy DNS abuse is, the sheer
rate and volume of new malicious domains is enormous, and
static signatures cannot be created quickly enough to keep up.
Attacks using DNS are effective
If a system gets infected, networking and security teams are
and growing. Malware using domain
challenged to quickly identify that system and address the in-
generation algorithms (DGA) has grown

124%
fection. By then, malware may have already spread, or data
may have already been stolen. year over year

Top Three Attacks Using DNS Figure 2: Unit 42 research on domain

generation ­algorithms
Understanding how adversaries abuse DNS is the first step to
stopping attacks on your network and minimizing your cy-
bersecurity risks. Here are the top three ways cybercriminals
abuse DNS to mask their C2 activity so they can deliver addi-
tional malware or steal data.

Strata by Palo Alto Networks | Stop Attackers from Using DNS Against You | White Paper 2
DNS Tunneling i­ ntelligence and data that may not work with other areas of an
This technique, increasingly used by advanced persistent organization’s security structure. As a result, overwhelmed
threat (APT) actors, lets attackers encode their payloads in teams drown in uncoordinated data from independent tools.
small chunks within DNS requests to bypass security con- Multiple tools become more things to own and manage, add-
trols. Advanced attackers use DNS tunneling to hide data ing complexity and drain on already limited human resources.
theft or C2 in standard DNS traffic. Once a victim’s device
is compromised, the infected device sends a request within
the DNS traffic. The DNS server is instructed to connect to Unit 42 Threat Research on OilRig
the cybercriminals’ server, establishing a channel through
which to steal and transmit data. With DNS tunneling, DNS OilRig is an active, organized threat group first dis-
requests pass through the normal DNS server, inside and covered by Unit 42. Operating primarily in the Middle
outside a company’s firewall. However, tunneled data hid- East, OilRig carefully targets organizations to further
den in the DNS requests goes unnoticed. Attackers including its regional strategic goals across multiple industries,
the threat group OilRig have used DNS tunneling extensively including supply chain-based attacks. As part of its
in recent years. adversary playbook, the group employs sophisticated,
custom DNS tunneling for C2 and data exfiltration. The
use of tunneling includes:
Why Current Security Approaches • ALMA Communicator Trojan, which uses DNS tun-
Fail neling to receive commands from the adversary and
exfiltrate data. The malware employs specially crafted
Current approaches to blocking malware attacks that use DNS subdomains to send data to the C2 server and specif-
are inadequate for several reasons. To begin with, it is diffi- ic IPv4 addresses to transmit data from the C2 to the
cult to address the many ways attackers can use DNS to com- Trojan over DNS requests.
promise an organization. Many organizations focus solely on
• Helminth PowerShell-based Trojan, which can obtain
protecting their DNS infrastructure—and rightfully so. If DNS
files from a C2 server using a series of DNS TXT queries
goes down, they can no longer access the internet. What they
repeated every 50 milliseconds, essentially building
don’t focus on is the hidden threat: attackers using DNS it-
malware on victim systems through hard-to-detect
self to spread malware or steal data. Some organizations do
increments sent over DNS.
nothing to protect DNS, leaving it wide open for attackers.
Many organizations don’t have DNS monitoring and instead OilRig’s use of DNS tunneling allows the group to estab-
only block malicious domains, essentially doing nothing to lish reliable C2 that can potentially evade existing de-
address malware that abuses DNS. fenses to carry out further stages of the attack. Get the
full details on OilRig from Unit 42’s blog post series or
Other security teams take a blacklisting approach to blocking
the interactive Playbook Viewer.
attacks that use DNS, relying on relatively static threat feeds
that work off known bad domains. However, as malware’s use
of DGA grows, the effectiveness of blocking known malicious
domains alone becomes more limited. Using a list of random-
ly generated domains for C2 can overwhelm the signature Stop Attackers from Using DNS
capability of legacy tools and traditional security approach-
es. A limited set of signatures simply cannot scale to meet the
Against You
growing threat of DNS-based attacks. How can you regain control of your DNS traffic and prevent
Additionally, relying on static lists limits the amount of con- attackers from using DNS to attack your organization?
text defenders can access to fully understand the attacks
against their network. Although threat intelligence feeds are
Security Data, and Lots of It
regularly updated with indicators or artifacts derived from You need massive quantities of real-world security data, ei-
a source outside the organization, daily or even hourly up- ther that you collect yourself or gather through threat intel-
dates are too slow to keep up with the massive amount of ligence or cyberthreat alliances. With data from a large and
DNS data. The sheer volume of DNS traffic often means de- expanding intelligence-sharing community, your protection
fenders simply lack the visibility or resources to universally will continue to grow.
inspect it for threats. With a traditional approach, security
teams don’t have the resources to be proactive or scale their Analytics and Machine Learning
DNS security. Your security teams need to be able to run analytics on that
Some organizations use standalone point products to address data. To address the ­dynamic nature of domains or DNS tun-
threats to their DNS. These tools may adequately address spe- neling, your teams must employ machine learning to dynam-
cific facets of DNS security, but even “best-in-breed” tech- ically identify unknown bad domains. Without analytics, it is
nologies come with limitations. For instance, these tools of- impossible to predict highly dynamic malicious domains. Be-
ten require changes to DNS infrastructure if they are to work havioral analytics can also help determine a baseline of activity,
effectively. Disparate products also create siloes of threat understand general patters, and find what is normal. When

Strata by Palo Alto Networks | Stop Attackers from Using DNS Against You | White Paper 3
defenders see signals that r­ equire action, analytics can help Implement a Threat Intel Program
determine how manual or automated that action should be. Understand the threat landscape and set up a threat intelli-
Analytics can also understand which signals need to be acted gence program to understand what threats and techniques
upon, helping your teams prioritize time and resources. exist. With this knowledge, you can ensure you have the right
technology stack to keep your network safe.
Integration with a Next-Gen Firewall for
­Automated Action Learn What the Logs Can Tell You
Because many DNS-based attacks happen so quickly, it is Don’t just look at DNS traffic. Collecting DNS logs has little
imperative that security teams spend less time manually re- value unless you understand what you’re looking at, what the
sponding to attacks. To stand a chance, defenders need au- data is telling you, and what you can do to secure your net-
tomation. Automation can help quickly determine infected work from DNS-based attacks.
machines, automate responses, and contain threats before
they spread to other areas of a network. Security teams need Don’t Blindly Rely on a DNS Resolver
integrated innovations that extend the value of existing secu- If a DNS server is compromised, it may feed you false respons-
rity investments without complicating operations. es meant to direct your traffic to other compromised systems
or enable a man-in-the-middle attack.
Cloud-Based Protection
Using the cloud, your DNS protections can scale infinitely Plan for Mobile Employee Risk
and always stay up to date, giving you a critical new control Develop a strategy for your mobile em­ployees as they can put
point from which to stop attacks that use DNS. Cloud-based company data at risk. Warn them against using unsecured,
innovations enable your defenders to develop and deploy new free, or public Wi-Fi as adversaries can easily put themselves
detection techniques that your organization can take advan- between employees and the connection point. Integrate
tage of instantly. Cloud-based protections update instantly multi-factor authentication. Assume a high risk of devices
without requiring you to update or make changes to software, being lost or stolen, and have a plan in place.
which means less work for your security operations center
(SOC) teams. Approach Network Security Holistically
Don’t rely on a single product that promises to solve all your
Avoid Standalone Point Products
security problems. Instead, take a holistic approach to net-
Finally, your security teams must avoid deploying disparate work security and ensure you have all the right tools to com-
tools that are poorly integrated or require changes to DNS bat modern threats. Look at your security tools’ capabilities
routing. Many of these tools weren’t designed for automa- and whether you can use them together effectively. You need
tion, forcing your analysts to manually stitch together in- tools with multiple capabilities that address various threat
sights from multiple disparate sources before acting. These vectors, including intrusion prevention, URL filtering, and
products also don’t automatically share data or insights, and file blocking.
they won’t let you coordinate alerts across your entire secu-
rity stack. As a result, your teams can’t approach protection Automate Response, Not Just Alerts
holistically, resulting in slower responses to threats.
Require automated response, not just signals. Threats move
so fast that alerts or signals alone are ultimately not helpful.
DNS Security Best Practices By the time an analyst has prioritized an alert, confirmed a
threat, and identified the threat and its source, it may already
In addition to deploying the right technology, there are oth- be too late. Your security systems must be able to automat-
er best practices your organization can follow to protect your ically determine threats and quarantine potentially infected
network from DNS-based threats. systems before more damage is done.

Train Your Staff to Be Security Aware Is your organization implementing best practices in your DNS
Implement a security education and awareness program to security strategy? Take a Best Practice Assessment to be sure.
train your staff on what to look for in suspicious emails. En-
courage them to take care when following links to avoid in-
stalling malware. Phishing training can help them learn to
recognize, avoid, and report email-based attacks.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 strata-stop-attackers-from-using-dns-against-you-wp-020720
Support: +1.866.898.9087

www.paloaltonetworks.com