About DNS Tunnel Detection

About DNS Tunnel Detection

By using sophisticated machine learning techniques, Zscaler can detect tunneling occurring in your network.

Detected DNS tunnels and network apps will be logged in DNS Insights, and the most commonly encountered tunnels and apps can be seen in the DNS Overview dashboard.

DNS Tunnels

DNS tunneling is commonly used to circumvent security. This can be done for benign reasons like anti-virus updates done by endpoint software, or for more malicious purposes, such as evading captive portals.

To create a DNS tunnel, a user sets up a tunnel client that sends out a request on port 53 to a DNS tunnel server. The DNS tunnel server can use this newly created tunnel to issue C2 callbacks over the TXT field of the DNS response message. These payloads can introduce a variety of security hazards which are often not detected due to the nature of DNS traffic. If malicious DNS tunneling goes unobserved it creates a significant risk, with companies leaving themselves open to data exfiltration, command and control activity, as well as other hazards.  

Diagram showing basic tunneling process

How Zscaler DNS Tunneling Detection Works

Zscaler enables clients to detect and control DNS tunneling occurring in their networks. Zscaler provides a DNS proxy as a service to its customers, who can use this service as a firewall to DNS traffic. All traffic that goes through this proxy is logged. The Zscaler analytics system then fetches these logs, processes them, and sends them to the DNS tunneling detection engine. The detection engine uses advanced machine learning techniques to compute a risk score to classify domains. Once a tunnel hostname is detected, the information is propagated to all  Zscaler Enforcement Nodes (ZENs). The proxy server can then take action based on your policy configuration. 

Diagram explaining how Zscaler tunneling detection

Any tunnels that are detected are placed into one of three categories:

  • Commonly Allowed DNS Tunnels: This contains tunnels that are using DNS tunneling for productive reasons. It is mostly composed of traffic from security services.
  • Commonly Blocked DNS Tunnels: This contains tunnels that Zscaler has detected as malicious or that can cause a loss of productivity or data.
  • Unknown DNS Tunnels: This contains tunnels that are not yet classified.

DNS Applications

In addition to the tunneling categories, there are four additional categories. These are:

  • Network Service: This contains different network protocols, such as TCP and UDP
  • Social Networking: This contains popular websites with social networking components, such as Facebook and LinkedIn
  • Web: This contains widely used websites, such as Amazon and CNN
  • Web Search: This contains popular search engines, such as Google and Bing

These categories are included should administrators wish to control any of these items at the DNS level. To learn more about DNS Control, see About DNS Control and Configuring the DNS Control Policy.

From these categories, users can either select the whole category or individual items to make up a DNS Application Group. To learn more, see About DNS Application Groups.