Domain name system (DNS) tunneling is a pervasive threat that enables hackers to get any data in and out of a company's internal network while bypassing most firewalls. The domain name system translates numeric internet protocol addresses that browsers can then use to load web pages \u2014 threat actors use tunneling to exploit this process and steal data by hiding it inside DNS traffic.Most DNS attacks focus on spoofing or misdirection, where an attacker either feeds false information to DNS servers or convinces other systems to query a hostile DNS server instead of a legitimate one. But DNS tunneling essentially smuggles hostile traffic through DNS ports, which makes these attacks difficult to detect and mitigate.\u201cAttacks that exploit weaknesses in DNS can misdirect other systems to connect to or mistakenly trust hostile systems, all without exploiting conventional vulnerabilities like missing patches or misconfigurations,\u201d says Jacob Ansari, PCI practice leader at global audit, tax, and advisory firm Mazars.Most DNS attacks arise because the original DNS protocol, dating from the earliest days of the internet, did not have security functions, such as authenticity or integrity. That can give cybercriminals a conduit to abuse necessary network services such as DNS, to exfiltrate data instead of stealing it directly from a network, says Tim Shimeall, a senior member of the technical staff with the CERT network situational awareness group at Carnegie Mellon Software Engineering Institute.\u201cThis abuse is challenging to detect since it is mixed with the expected and required uses of these services \u2014 the hiding in the crowd approach,\u201d he says. \u201cBy applying network monitoring tools and building familiarity with the expected and required uses, the challenge of detecting abuse becomes more achievable.\u201dHere are four strategies to identify and reduce the risk of DNS tunneling:Combine technical and human solutionsOrganizations should look to both human and technical solutions to deal with DNS tunneling, says Terrence O\u2019Connor, assistant professor of computer engineering and sciences and cybersecurity program chair at the Florida Institute of Technology. From a\u00a0personnel\u00a0standpoint, organizations can establish internal, proactive threat-hunting groups.Such groups can improve threat detection and response times, analyzing network traffic logs to identify anomalies or developing signatures based on historical attacks and tools. Further, the group can inform network defenders about emerging attack technologies and how they uniquely leverage DNS for malicious purposes.From a technical standpoint, companies can enable security mechanisms that defeat DNS tunneling. For example, organizations may employ the DNS Security Extensions (DNSSEC), a security mechanism that requires cryptographic validation of DNS messages, O'Connor says. "While no approach is perfect,\u00a0combining\u00a0both human and technical solutions can largely defeat most DNS tunneling attack approaches.\u201dThe best approach is a defense-in-depth solution that combines technical aspects with the upskilling of a security team so they can perform manual analysis if the tools raise any alerts, says David Maynor, director of the Cybrary threat intelligence group.\u201cTo identify DNS tunneling, organizations should implement tools that provide deep-packet inspection and can view and analyze DNS packets,\u201d he says. \u201cRules can then be applied to detect fields that violate the request for comments standard.\u201dAnother method is anomaly-based network analysis with which network flow is analyzed for abnormal behavior, Maynor says. For example, a workstation suddenly sending DNS traffic out of the network to seemingly random DNS servers would be a big red flag. Security teams can then respond to the alerts raised by the tools regarding these issues.Monitor Internet activitiesDNS service is a perfect choice and target for attackers due to the sensitivity of this service, so it's important for organizations to rigorously monitor and alert their DNS services for unusual activities, says Izzat Alsmadi, associate professor in the Department of Computing and Cyber Security at Texas A&M University-San Antonio.One way of doing this is to actively monitor internet activities and block IP addresses known to create such issues, Alsmadi says. \u201cThis is a general blacklisting approach, but it is generally hard to accommodate all possible attackers, hence it\u2019s important to include rules that alert for strange or unusual DNS queries.\u201dHardening local clients and ensuring users know to avoid phishing campaigns is also important as most DNS attacks start by exploiting a local trusted client or computer, Alsmadi says.Dan Petkevich, founder and CEO of Fair Square Medicare, says his company leverages technology to help older adults find insurance that best fits their healthcare needs. Because of the high level of personal data involved in the business, Fair Square Medicare is sensitive to the risks of DNS tunneling. He says one of the most practical methods to prevent DNS tunneling is by continuously monitoring the kind of traffic frequenting a company\u2019s system.\u201cThis allows you to detect any suspicious activity from its inception and block its access to the network before the damage is done,\u201d Petkevich says. \u201cWhen I\u2019m searching the web, I typically use sites with HTTPS protocols over HTTP because they\u2019re more secure against these attacks. As a business owner, it\u2019s crucial that your web developer includes the HTTPS protocol in your site. These days, even Google is aware of the high risk of DNS tunneling, and so it tends to warn surfers if a site isn\u2019t well-equipped to protect their data.\u201dEnsure third parties fix misconfigurations in their DNS serversSome DNS attacks involve denial-of-service (DoS) attacks or distributed denial-of-service (DDoS) attacks, where an attacker sends a large number of hostile DNS queries that can overwhelm DNS infrastructure and cause what amounts to internet outages at the victim organizations, Ansari says.Some of these attacks make use of third-party DNS servers to respond to the victim organizations' DNS servers. \u201cThe solution for these attacks is to get the other parties to fix misconfigurations in their DNS servers. As such, this can be difficult to resolve if those parties are uncooperative or suborned by the attacker,\u201d Ansari says. \u201cIf third parties aren\u2019t adhering to good DNS security practices, include that in negotiations for contract renewal and third-party risk management efforts.\u201dEmployee trainingBecause of the many different legitimate uses of DNS, it's hard to tell if the data fields in the requests and responses are valid, according to Maynor. \u201cAttackers capitalize on the complexity and trusted and required nature of DNS by crafting their own seemingly real-looking DNS traffic with data in the fields,\u201d he says. \u201cThis gives an attacker inside a network the ability to exfiltrate data in a way that looks legitimate to the casual user.\u201dConsequently, to keep systems protected against DNS tunneling, companies must conduct regular employee training programs on phishing, malware, and DNS tunneling attacks, says Ihab Shraim, chief technology officer at CSC Digital Brand Services. Employees who recognize and avoid social engineering attacks can prevent DNS tunneling attempts.Organizations should also train cybersecurity teams to recognize DNS traffic patterns that are not typical. Implementing machine learning techniques on DNS traffic can help security teams detect anomalies in patterns.