Multiple Domains Leveraging DNS Tunneling Probe Internet for Public IPv4/IPv6 Resolvers

By /

Listen to this Post

Featured Image
Palo Alto Networks Unit 42 researchers have identified multiple domains using DNS tunneling to scan the internet for public IPv4/IPv6 resolvers. These scans, which began in January 2025, peaked recently, with suspicious DNS traffic lacking TXT/PTR records. More details can be found in their report: https://bit.ly/4iibcTF.

You Should Know:

Detecting DNS Tunneling Activity

DNS tunneling is often used for data exfiltration, C2 communication, or bypassing network security. Here are key commands and techniques to detect and mitigate such threats:

1. Analyze DNS Logs for Anomalies

 Check for unusually long DNS queries (common in tunneling)
grep -E '[a-zA-Z0-9]{50,}' /var/log/named/queries.log

2. Monitor High DNS Query Rates

 Use tshark to capture DNS traffic 
tshark -i eth0 -f "port 53" -Y "dns.flags.response == 0" -T fields -e ip.src -e dns.qry.name

3. Block Suspicious Domains via Firewall

 Example using iptables to block a malicious domain 
iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "|06|malware|03|com" --algo bm -j DROP

4. Check for Unusual TXT/PTR Records

dig TXT suspicious-domain.com 
dig -x <IP>  Reverse DNS lookup for PTR records

5. Use Threat Intelligence Feeds

 Fetch and block known malicious domains 
curl -s https://malware-domains.com/list.txt | while read domain; do 
echo "blocking $domain"; 
iptables -A OUTPUT -p udp --dport 53 -d "$domain" -j DROP; 
done

6. Enable DNS Logging in Palo Alto Firewall

 Sample CLI command to enable DNS logging 
set deviceconfig setting logging dns-sinkhole yes

7. Detect IPv6 DNS Tunneling

tcpdump -ni eth0 'ip6 and port 53' -w ip6-dns.pcap

Mitigation Strategies

  • Restrict Outbound DNS to only allow authorized resolvers.
  • Implement DNS Sinkholing to redirect malicious queries.
  • Use DNSSEC to prevent DNS spoofing.
  • Monitor for Large DNS Responses, which may indicate data exfiltration.

What Undercode Say

DNS tunneling remains a stealthy attack vector, often bypassing traditional security controls. Organizations must:
– Log and analyze DNS traffic for anomalies.
– Enforce strict DNS policies (e.g., allowlisting known resolvers).
– Leverage threat intelligence to block malicious domains preemptively.
– Use machine learning to detect unusual DNS patterns.

For defenders, continuous monitoring and proactive blocking are key. Tools like Zeek (Bro), Suricata, and Palo Alto’s DNS Security can help detect and mitigate such threats.

Expected Output:

  • DNS query logs showing long, randomized subdomains.
  • High volume of DNS requests from single sources.
  • Unusual TXT/PTR records in DNS responses.
  • Firewall alerts for blocked malicious domains.

For further reading, visit: Palo Alto Unit 42 Report.

References:

Reported By: Unit42 Dns – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: