DNS, the backbone of the internet, helps translate human-readable domain names into IP addresses. While essential, its permissive nature in many networks also makes it an attractive channel for attackers to exfiltrate sensitive data or establish covert command-and-control (C2) communication—a technique known as DNS tunneling.
Existing DNS tunneling detection methods rely on analyzing patterns and statistical features across a sequence or session of DNS queries. While helpful in identifying ongoing tunneling activity or for forensic analysis, this approach cannot detect or prevent data loss in the very first few tunneling queries. Even a small amount of leaked data, like a password or a critical token, can be devastating for an enterprise.
This situation presents a critical challenge. How can organizations significantly improve their ability to rapidly identify and mitigate DNS tunneling attacks right as they begin?
To address this, we've developed a groundbreaking solution: Per Query Sanitization for Immediate DNS Tunneling Detection. It's the first system that can detect malicious DNS requests designed for data exfiltration as early as the first query.
Unlike traditional session-based methods, our new detector analyzes each DNS query individually. This, per-query sanitization is critical for truly preventing data loss.
The system individually analyzes FQDNs in cache-missed DNS queries. A prefilter quickly removes non-tunneling domains using rules such as trusted and invalid TLDs, as well as known benign domains and patterns. If not filtered out, the FQDN is analyzed by an ML classifier, which examines features related to the FQDN, such as the authoritative nameserver's properties, domain ownership and hosting indicators, and suspicious patterns.
In a real-world deployment, this system analyzed billions of DNS queries from approximately 30,000 organizations globally. It identified 358 confirmed tunneling root domains. Remarkably, 349 of these tunnels (the vast majority) were detected on the initial DNS query. An additional six were identified by the second query, and the remaining three were caught within the first six queries. These findings strongly support the system's capability to promptly detect tunneling activity, often with the very first query.
Key Benefits
Our Per Query Sanitization for DNS Tunneling Detection offers critical advantages:
DNS tunneling remains a persistent threat, with attackers constantly evolving their methods. Traditional defenses that examine groups of DNS queries can leave a gap, allowing data to escape before the threat is fully recognized.
Our groundbreaking Per Query Sanitization for DNS Tunneling Detection closes this gap. It's designed to identify tunneling attempts immediately, analyzing each DNS query as it happens, starting with the very first one. This ability to detect tunneling attempts immediately after the first query offers enterprises a powerful new defense to minimize initial data loss and strengthen their overall security posture against this stealthy threat.
The Per-Query Sanitization enhancement for DNS Tunneling in ADNS Security is scheduled for release on June 6, 2025.
If DNS Security is enabled and you have configured policy actions for Command and Control Domains (the parent category for existing DNS Tunnel Detection), no further action or configuration changes are necessary.
It will be available on PAN-OS releases that support the C2 category for the DNS Security (PAN-OS 9.0 or later).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes | |
| 1 Like |
| User | Likes Count |
|---|---|
| 6 | |
| 3 | |
| 2 | |
| 1 | |
| 1 |
