Threat actors expanding malicious use of DNS tunneling

Hackers are employing Domain Name System tunneling to monitor phishing email interactions, scan networks for vulnerabilities, and bypass security measures, BleepingComputer reports.

DNS tunneling involves encoding data within DNS queries, allowing covert communication channels that exploit fundamental network protocols. Palo Alto Networks' Unit 42 research team discovered several malicious campaigns using this method, including a campaign called "TrkCdn," which tracks phishing email engagement through encoded DNS queries to attacker-controlled subdomains, and one known as "SpamTracker," which tracks spam delivery.

Another campaign dubbed "SecShow" uses DNS tunneling to map network infrastructures, embedding IP addresses and timestamps in DNS queries to identify exploitable network flaws.

These methods enable attackers to bypass firewalls, evade detection, and maintain operational flexibility, making DNS tunneling an attractive alternative to traditional tracking and scanning tools. Unit 42 recommends implementing DNS monitoring tools to detect unusual traffic patterns and limiting DNS resolvers to essential queries, thereby reducing the risk of DNS tunneling exploits.