By using sophisticated machine learning techniques, the Zscaler service can detect DNS tunneling occurring in your network. You can create granular rules to control DNS tunnels as part of your DNS Control policy. To learn more, see Configuring the DNS Control Policy.
DNS Tunneling Detection is part of DNS Control and DNS Control requires the Advanced Firewall license. To learn more, see Zscaler Internet Access Bundles.
You can also analyze and visualize your DNS tunnels and network applications. The service logs all detected DNS tunnels and network apps in DNS Insights. You can also view the most commonly encountered tunnels and apps in the DNS Overview dashboard.
DNS tunneling is commonly used to circumvent security. Tunneling can be used for benign reasons. For example, an anti-virus update done by endpoint software. However, it is also used for more malicious purposes, such as evading captive portals.
To create a DNS tunnel, a user sets up a tunnel client that sends out a request on port 53 to a DNS tunnel server. The DNS tunnel server can use this newly created tunnel to compromise the TXT field of the DNS response message. These payloads can introduce a variety of security hazards which are often not detected due to the trusted character of DNS traffic. If malicious DNS tunneling goes unobserved it creates significant risk, with companies leaving themselves open to data exfiltration, command and control activity, as well as other hazards.
The Zscaler service enables you to detect and control DNS tunneling occurring in your networks. The service provides a DNS proxy. You can use this proxy as a firewall to DNS traffic. All traffic that goes through this proxy is logged by the service. The Zscaler analytics system then fetches these logs, processes them, and sends them to the DNS tunneling detection engine. The detection engine uses advanced machine learning techniques to compute a risk score to classify domains. Once the engine detects a tunnel hostname, the information is propagated to all Zscaler Enforcement Nodes (ZENs). The proxy server then acts according to your policy configuration.
The service places any tunnels it detects into one of three categories. These are:
There are four additional categories that you can control alongside the DNS tunnels. These are:
These categories give administrators the flexibility to control any of these items at the DNS level.
From these categories, users can either select the whole category or individual items to make up a DNS Application Group which you can use in your DNS Control policy. To learn more, see About DNS Application Groups.