Security News > 2024 > May > Hackers use DNS tunneling for network scanning, tracking victims
DNS tunneling is the encoding of data or commands that are sent and retrieved via DNS queries, essentially turning DNS, a fundamental network communication component, into a covert communications channel.
Hackers commonly use DNS tunneling to bypass network firewalls and filters, employing the technique for command and control and Virtual Private Network operations.
Palo Alto Networks' Unit 42 security research team recently discovered additional use of DNS tunneling in malicious campaigns involving victim tracking and network scanning.
The DNS queries used in this campaign were periodically repeated to enable real-time data gathering, detect status changes, and test the response of different network parts to unsolicited DNS requests.
Threat actors opt for DNS tunneling over more traditional methods like tracking pixels and regular network scanning tools for several reasons, including the ability to bypass security tools, avoid detection, and maintain operational versatility.
It's advisable to limit the DNS resolvers in the network to handle only the necessary queries, reducing the potential of DNS tunneling misuse.