DNS attacks on the rise, says survey

​Two-thirds of the web traffic logs analyzed by Domain Name System specialists showed signs of malicious activity, according to a new report.
(Getty Images)

Two-thirds of the Domain Name System traffic logs analyzed by security specialists showed signs of malicious activity, according to a new report.

Infoblox, a DNS infrastructure security company analyzed 559 web traffic logs submitted by 248 customers and potential clients in the second quarter of 2016.

Three hundred and sixty-nine files, or 66 percent of those uploaded, showed evidence of suspicious activity, the company said in its Q2 Security Assessment Report.

The DNS is the network of servers around the world that translates the written web address — for example, — into a numerical IP address to which a web browser can direct its user’s traffic. DNS servers are like roadsigns on the web, directing traffic to a proper internet address.


But because of this, says Infoblox, DNS traffic is trusted and many companies don’t monitor it or check it for malicious activity.

Thirteen percent of the logs they analyzed showed DNS traffic to ransomware servers, and 40 percent contained evidence of DNS tunneling — a technique often used by hackers to evade or bypass firewalls when exfiltrating stolen data.

Other kinds of activity detected in the logs include botnet and DDoS traffic.

“DNS tunneling enables cybercriminals to insert malware or pass stolen information through DNS,” using it “as a covert communication channel to bypass firewalls,” the report states.

Project Sauron — the highly advanced hacking group linked by many observers to the NSA — used DNS tunneling to exfiltrate data, but Infoblox say that the technique is not reserved for high-skilled attackers.


“There are several off-the-shelf [DNS] tunneling toolkits readily available on the Internet, so that hackers don’t always need technical sophistication to mount DNS tunneling attacks,” the report states.

“In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “Cybersecurity is much the same. The widespread evidence of DNS tunneling … shows cybercriminals at all levels are fully aware of the opportunity.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts