By using sophisticated machine learning techniques, Zscaler can detect tunneling occurring in your network.
DNS tunneling is commonly used to circumvent security. This can be done for benign reasons like anti-virus updates done by endpoint software, or for more malicious purposes, such as evading captive portals.
To create a DNS tunnel, a user sets up a tunnel client that sends out a request on port 53 to a DNS tunnel server. The DNS tunnel server can use this newly created tunnel to issue C2 callbacks over the TXT field of the DNS response message. These payloads can introduce a variety of security hazards which are often not detected due to the nature of DNS traffic. If malicious DNS tunneling goes unobserved it creates a significant risk, with companies leaving themselves open to data exfiltration, command and control activity, as well as other hazards.
Zscaler enables clients to detect and control DNS tunneling occurring in their networks. Zscaler provides a DNS proxy as a service to its customers, who can use this service as a firewall to DNS traffic. All traffic that goes through this proxy is logged. The Zscaler analytics system then fetches these logs, processes them, and sends them to the DNS tunneling detection engine. The detection engine uses advanced machine learning techniques to compute a risk score to classify domains. Once a tunnel hostname is detected, the information is propagated to all Zscaler Enforcement Nodes (ZENs). The proxy server can then take action based on your policy configuration.
Any tunnels that are detected are placed into one of three categories:
In addition to the tunneling categories, there are four additional categories. These are:
From these categories, users can either select the whole category or individual items to make up a DNS Application Group. To learn more, see About DNS Application Groups.