DNS Is Conduit Into Air-Gapped Networks, Say ResearchersAttackers Use DNS Tunneling as Command-and-Control Channel, Says Pentera
Air gapping is a tried-and-true strategy for protecting operational technologies that run factories, power plants and a wide range of industrial systems, but even air-gapped networks need domain name resolution.
Poorly configured domain name system settings are a potential weakness attackers can exploit to target these critical assets, even if they're supposed to be kept securely apart from the internet.
Researchers have long known that air gapping in practice often fails to completely segregate critical systems. "In no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network," a U.S. Department of Homeland Security official said in 2011 after the agency led "hundreds" of vulnerability assessments. What begins as a tightly air-gapped system over time easily loses its isolation, either because of carelessness and staff turnover, merged networks or sheer inertia.
Research from Israeli cybersecurity company Pentera pinpoints DNS as a possible command-and-control pathway into air-gapped assets.
An air-gapped network's DNS server connected to the enterprise IT system has connections to the public DNS system on the internet even if it's kept behind a firewall. That's because of the nature of the DNS system, Uriel Gabay, a Pentera security researcher, tells Information Security Media Group.
The DNS is the decentralized system that translates domain names into the numerical IP addresses needed for routing across a network. A large majority of organizations surveyed by IDC earlier this year said they experienced some type of DNS attack in 2022. Most DNS traffic is sent over the UDP protocol, meaning there isn't built-in error detection for packets sent and received as there is in TCP.
It's the "received" part of a DNS response that poses a risk. Given the possibility for a DNS request to trace the hops from an air-gapped network to the enterprise network to a public DNS server, a datagram originating from outside the air gap is ultimately received by a computer on the inside. "You allow the response to come into your organization because this is the meaning of allowing the protocol. You need a response as well," Gabay said. "You're expanding your air-gapped DNS by connecting it to your network DNS - and your network DNS is able to query outside code."
Pentera isn't the first organization to realize the potential of DNS as an unattended and inadvertent line to the outside world. Russian hackers used the protocol for command and control during their attack on SolarWinds. Mitre keeps a running tally of known DNS tunneling attacks.
The first step as detailed by Pentera begins with a compromise that occurs behind the air gap, through malware that is transmitted via a thumb drive or a supply chain attack. That initial penetration supplies malware that exploits DNS as a channel to the outside world, specifically through a DNS request for resolution to a domain controlled by the attacker. Because attackers control it, they can respond to the request with commands to the malware.
Even highly targeted or very sophisticated attacks against control systems need a command and control system - to send updates or commands or to exfiltrate data. Stuxnet, easily the most famous malware launched against an air-gapped system, looked for command-and-control servers after installing itself. Researchers found the servers disguised as soccer fan websites located in Denmark and Malaysia.
Using DNS as the command-and-control channel has its advantages given the lack of built-in error detection and lack of control over the flow of datagrams.
It has its challenges, as well, Gabay said. DNS restricts the types of characters it accepts, and there's a limit on character length. The challenges aren't insuperable: Characters can be encoded in base64, and the long commands can be sent in pieces for buffering at the endpoint.
Pentera recommends completely isolating the DNS server used for air-gapped networks and filtering DNS traffic for anomalies, such as DNS messages with abnormal length or unusual flows.