Air-gapped networks may be more connected than you thiink.
Using DNS against air-gapped networks.
Pentera has published a report showing how attackers can use DNS tunneling to communicate with air-gapped networks.
Blind spots in air-gapped networks.
Organizations often use air-gapped networks to isolate their sensitive assets. Theoretically, these networks should be entirely cut off from the outside Internet. Pentera explains, however, “While air-gapped networks may not have direct access to the Internet, they still often require DNS services in order to resolve a company’s internal DNS records.... [M]any organizations often make the mistake of thinking that by routing communication over an internal DNS server they are preventing a potential breach. However, they are still susceptible as the internal DNS server can still connect with a public DNS server.”
If an attacker gains the owner rights to a root record within the organization, they can create a Name Server that can communicate with the air-gapped network over DNS. This isn’t trivial, since DNS traffic is usually sent over UDP and the attacker has “no control over the flow or sequence of data transmission.” These obstacles can be overcome, however. For example, if the payload is compressed before sending and decompressed after it’s received, the attacker can verify whether the data has been corrupted.
Mitigations against DNS attacks.
The researchers offer the following recommendations to defend against these attacks:
- “Use a dedicated, offline DNS server for air-gapped networks and monitor any outside access attempts
- “DNS filtering – Use a secure DNS service with advanced anomaly DNS analysis such as:
- “DNS requests with big length
- “Amount of DNS requests per minutes/hour/day”