As of LCOS 10.50 RC3, all DNS queries that pass through the LANCOM DNS forwarder are therefore subjected to a security check. This prevents data tunnels from being transported via DNS messages.
Companies and organisations usually allow the DNS protocol to pass bidirectionally through their firewall because it is necessary for their employees to access external websites. Customers and prospects, on the other hand, should be able to find the company's websites.
One way to attack a network via DNS is the method of DNS tunneling. Here, DNS requests are used to implement a command and control channel for malware. Incoming DNS traffic transmits the commands to the malware and outgoing DNS traffic transmits sensitive data and information to the attacker. DNS tunneling can also be used to circumvent network regulations, e.g. by leveraging hotspot logins or blocked services.
Since the DNS protocol is very adaptable, such actions are usually successful. The requests are designed to be sent to DNS servers that are controlled by the attackers. Thus, the DNS servers are able to receive the requests and transmit data in corresponding DNS responses.
Since numerous DNS tunneling tools are offered for download on the Internet, DNS tunneling attacks can be carried out quite easily. Even inexperienced attackers are thus able to smuggle data past the security devices of a network (e.g. a firewall) or, for example, to bypass the login to a (paid) WLAN hotspot without having to authenticate the requesting WLAN client.
The check is activated by default, but can be deactivated if required in the configuration in the menu DNS → Filter/Aliases → DNS Tunnel Filter. However, we recommend not deactivating the check.
Possible error pattern that can occur when the check is activated:
In rare cases, so-called false positives can occur during normal DNS operation, i.e. certain DNS packets are incorrectly recognised as DNS data tunnels.
The error pattern can be analysed with a DNS trace on the LANCOM router (see the following figure):
In this case, the following additional entries are written in the syslog of the LANCOM router:
