As of LCOS 10.50 RC3, all DNS queries that pass through the LANCOM DNS forwarder are therefore subjected to a security check. This prevents data tunnels from being transported via DNS messages.
Many Organizations let the DNS protocol pass through their firewall in both directions because their employees have to visit websites in the internet and users or customers have to find the company websites.
A network attack with DNS tunneling takes advantage of this by using DNS queries to implement a command and control channel for malware. Incoming DNS traffic can relay commands to the malware, while outgoing traffic can forward data, sensitive information, or responses to Inquiries from malware operators. DNS tunneling can also be used to bypass regulations in networks, for example by using access point logins or blocked services.
This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS query contains as it is designed to look up domain names for websites. Since almost anything can be a domain name, these fields can be used to convey sensitive information. These queries are designed to target DNS servers controlled by attackers so that they can receive the queries and respond in the appropriate DNS responses.
DNS tunneling attacks are simple to hold out and there are various DNS tunneling toolkits available.This makes it attainable even for inexperienced attackers to use this method to export knowledge past a company' network security solutions (e.g. firewall) or to bypass hotspots, for example, while not having to certify a client.
The check is activated by default, but can be deactivated if required in the configuration in the menu DNS → Filter/Aliases → DNS Tunnel Filter. However, we recommend not deactivating the check.
Possible error pattern that can occur when the check is activated:
In rare cases, so-called false positives can occur during normal DNS operation, i.e. certain DNS packets are incorrectly recognised as DNS data tunnels.
The error pattern can be analysed with a DNS trace on the LANCOM router (see the following figure):
In this case, the following additional entries are written in the syslog of the LANCOM router:
