Author: @kcheung 

DNS: Overview & Threats

DNS (Domain Name System) is integral to enterprise IT infrastructure, providing services for name resolution. Without DNS, an IT infrastructure is unable to look up a domain’s IP address.

 

Since DNS is available in many IT infrastructures, its role makes it a target for malicious activity. Enterprises must adopt layered defenses and monitor DNS activity to mitigate threats effectively.

 

DNS C2 commands can appear like normal DNS requests and thus make DNS based threats difficult to detect. Enterprise with firewalls that typically allow DNS traffic (port 53), hence use of a multi layered detection and response systems (Ex: EDR, NDR) is crucial in identifying threats. FortiNDR Cloud offers multiple levels of network-based DNS threats detections and response.

 

This blog will go deeper into how you can leverage them to understand, respond and mitigate any such threats and secure your organization’s network.

 

DNS Tunneling

DNS tunneling is a clever way of blending malicious traffic with normal traffic. This typically starts with a compromised host within an organization’s network. Attackers break down sensitive information into several small chunks and encode the data as subdomains in DNS requests. This could lead to a slow and steady data exfiltration. You can see an example below how multiple DNS requests from compromised host have the same sub level domain domainxyz and how encoded data can get transferred via DNS requests to attacker’s server.

FortiNDR Cloud uses machine learning-based behavioral analysis to detect hosts generating a high volume of DNS queries to unique FQDNs that share a similar second-level domain—one that has rarely appeared in previous network traffic.

 

Figure 1: DNS Tunneling

 

For example, we ran a few tests in our FortiGuard threat research lab and see the following detection in our environment which points to “DNSCAT2 DNS Tunnel” Activity. DNScat2 is a tool used to create a DNS tunnel, which allows data to be transmitted over the DNS protocol — a method often used to bypass network restrictions or exfiltrate data covertly.

Figure 2: DNSCAT2 DNS Tunnel Detection

 

Using metadata associated with the detection event in FortiNDR Cloud, we can obtain the associated domain and IP relating to this activity. From there, we can extract all the query and answer responses from DNSCAT.

 

Figure 3: Detection Details and Metadata

 

In our real-world example, Zloader was using DNS tunneling as a C2. FortiNDR Cloud’s behavioral detection was able to detect this activity. This detection looks for hosts making a large number of DNS queries to unique FQDNs, all of which share a similar second-level domain which has rarely been seen in past traffic. Adversaries may encode data into sub-domains before making DNS queries to evade network controls.

Figure 4: DNS Tunneling Behavioral Detection

Detecting Suspicious Long DNS queries

DNS has specific length limits defined by the protocol (RFC 1035 and later enhancements). These limits are often abused in DNS tunneling, where attackers break up data across many queries. These long queries can be used to send information from a compromised system to an attacker-controlled server or to receive commands from proactive monitoring and layered defenses are essential to detect and mitigate these threats.

An example of encoded data and full query might look like below:

 

• Encoded data: ZXhhbXCSXhheESF (base64 string).
• Full query: ZXhhbXCSXhheESF.bad-domain.com.

Below is a screenshot of how FortiNDR Cloud detects long DNS queries from internal hosts to suspicious domains.

 

Figure 5: Long DNS Queries Detected in FortiNDR Cloud

 

Understanding Domain in the context of DNS threats.

Malware often employs Domain Generation Algorithms (DGAs) to bypass static detection methods, such as web filtering, and maintain communication with its Command and Control (C2) servers.

What Are DGAs?

A DGA is a technique utilized by malware developers to dynamically generate domain names using a predefined algorithm and seed. The algorithm dictates the structure and logic for creating these domain names, while the seed provides the input needed to reproduce the same set of domains consistently. This process allows attackers to generate large pools of potential domains, which they bulk register in advance for use as C2 endpoints.

How DGAs Work

Upon execution of malware that uses DGA as a C2 communication, it uses the same algorithm and seed to generate domain names and queries them sequentially. Most of these generated domains may fail to resolve, returning NXDomain DNS responses (no domain exists) because they are not registered. However, eventually, one of the domains resolves to an active C2 server under the attacker's control. Some malwares are configured to retry the DGA-generated list when the connection fails to restore communication.

Challenges for Detection

This approach enables malware to evade traditional domain reputation systems, which cannot determine if newly generated domains are malicious or not. Even if defenders block or deactivate some domains, DGAs can quickly generate new ones, maintaining a steady flow of C2 traffic. This persistence and flexibility present significant obstacles to network detection and response systems.

 

In the following diagram, it shows how malware uses a DGA communicates with attacker-controlled infrastructure.

 

Malware is executed on compromised host and malware starts communication to C2 using DGA Using the seed/pattern based on attacker domains, the malware starts to generate domain names and attempts to resolve to obtain the ip address Malware will continue to resolve domain names until it successfully resolves and returns an IP address The malware will now use the successful domain and IP as a C2 channel

Figure 6: Command and Control using a DGA Domain

 

FortiNDR Cloud’s machine learning-based behavioral observation employs a deep neural network to detect domain names that mimic patterns created by Domain Generation Algorithms (DGAs). Additionally, it evaluates unusual DNS request behaviors that resemble DGA activity. By combining these capabilities, the system provides deeper insights into suspicious activities, significantly enhancing threat detection and response effectiveness. 

Figure 7: Suspicious DNS NXDomain Response: FortiNDR Cloud Behavioral Observation

Figure 8: Suspicious Malware DGA Domain: FortiNDR Cloud Behavioral Observation

 

Conclusion

DNS remains a vital yet vulnerable component of enterprise networks, often exploited by attackers to execute stealthy command-and-control operations and data exfiltration.

 

As demonstrated through DNS tunneling, suspicious long queries, and domain generation algorithms, malicious use of DNS is both sophisticated and difficult to detect with traditional security measures.

 

FortiNDR Cloud provides a powerful, layered approach to DNS threat detection and response, leveraging advanced machine learning, behavioral analytics, and rich network metadata to identify and mitigate threats in real time. By integrating these capabilities, organizations can gain deeper visibility into DNS activity, streamline threat investigations, and fortify their defenses against evolving adversaries. To further enhance threat hunting, FortiNDR Cloud also offers guided queries, helping security teams quickly uncover hidden threats and take decisive action.

 

With FortiNDR Cloud, you’re not just detecting threats—you’re staying ahead of them.

 

References

1. RFC Standard for Domain Names: RFC1035 (https://datatracker.ietf.org/doc/html/rfc1035)
2. DNScat2 (https://github.com/iagox86/dnscat2)
3. Zloader FortiEDR Coverage (https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Zloader/ta-...)
4. DNS Tunneling Fortinet Blog (https://www.fortinet.com/blog/threat-research/into-the-rabbit-hole-offensive-dns-tunneling-rootkits)