Want to be sure your DNS setup isn’t weakening your security or network performance? GREYCORTEX experts highlight the most frequent mistakes from countless network audits. This guide breaks them down with practical examples and clear steps for remediation.
DNS plays a far greater role than simply resolving names to IP addresses. It shapes where users are redirected and reveals which servers devices connect to. DNS traffic is powerful: whoever controls or intercepts it can redirect users, map internal services, or extract sensitive data. That is why DNS remains one of the most overlooked but impactful parts of network security.
Unrestricted DNS Port 53 as a Security Risk
In many networks, outbound port 53 is left completely open, meaning any internal device can connect to any device on the Internet. This critical vulnerability allows attackers to create a DNS tunnel to send arbitrary data through, often hidden within DNS queries. For example, using software like Iodine, they can establish a reverse SSH tunnel from the Internet to the internal network, creating permanent, undetected access.
From an analyst’s perspective, this looks like normal communication with a legitimate DNS server, but a closer look at data patterns—such as constantly changing third-order domain names (e.g., `freemovies.tk`) or the use of unusual record types (like NULL in the `rrtype` attribute)—betrays the presence of tunneling attempts.
Remediation Tips from GREYCORTEX Experts:
- Block outbound port 53 for all but your authorized DNS servers.
- Monitor DNS logs for anomalies such as unusual third-level domain patterns or unexpected record types.
- Treat repeated NULL or other rare `rrtype` values as strong indicators of tunneling attempts.
When Port 53 Is Legally Needed: If port 53 must remain open for corporate resolvers or authorized external providers, restrict it only to those trusted resolvers. Additionally, audit devices that attempt direct resolution against Internet DNS servers, as this often signals malware activity.
Uncontrolled Encrypted DNS (DoH and DoT)
Encrypted DNS protocols like DNS over HTTPS (DoH) on port 443 and DNS over TLS (DoT) on port 853 are designed for user privacy but create significant blind spots in corporate networks. They hide DNS traffic inside encrypted sessions, preventing inspection and policy enforcement. Attackers can leverage these methods to tunnel data, bypass corporate resolvers, or maintain persistence.
While DoT (port 853) is generally easier to block, DoH (port 443) is much harder because it masquerades as normal HTTPS traffic.
Remediation Tips from GREYCORTEX Experts:
- Block outbound port 853 unless explicitly required by policy.
- Monitor TLS traffic for signatures and patterns of DoH usage inside port 443, and block those specific DNS domains if they pose an unwanted security risk.
Using Unregistered or External Domains
During audits, experts found cases where companies created secondary domains (e.g., `company2v.com`) but failed to register or control them. When administrators set up proxy servers via Windows Group Policy (GPO), workstations attempted to reach a non-existent, externally owned domain (e.g., `wpad.company2v.com`) to fetch settings.
Since the external party controlled the domain, they could redirect internal corporate devices to any server on the Internet, opening the door for man-in-the-middle attacks—delivering malware under the guise of legitimate updates. A minor oversight in domain registration became a direct attack path.
Remediation Tips from GREYCORTEX Experts:
- Always register and control all domains that resemble your internal naming scheme.
- Audit which domains are in active use on your network and confirm ownership.
- Pay close attention to automatically generated names such as `wpad.domain.com`, which attackers often abuse.
Misspellings in DNS Server IP Addresses
Not all DNS errors stem from complex attacks; sometimes, they are simple human mistakes. Typos in DNS server configurations—like mistyping Google’s resolvers or private IP ranges—are frequently encountered.
While user systems catch these quickly, errors on manually configured devices (like IoT equipment) can persist unnoticed, preventing critical updates or causing hidden communication failures. In the worst case, a typo may resolve to a legitimate Internet DNS server, causing internal queries to leak outside the company network.
Remediation Tips from GREYCORTEX Experts:
- Use centralized configuration management (like GPO or RMM tools) to reduce manual DNS entry errors.
- Continuously monitor DNS traffic for failed query destinations or unusual external communications.
Why DNS Hygiene Demands Constant Attention
Modern attackers do not need to break firewalls if DNS gives them a way in. Unrestricted queries on port 53, tunneling hidden inside DoT/DoH, unregistered domains, or misconfigured servers all provide silent channels for persistence or data exfiltration. Continuous auditing and long-term monitoring are the only ways to uncover these errors before they escalate into outages or breaches.
GREYCORTEX Mendel provides you with visibility into your DNS traffic, alerts on unauthorized resolvers, and detects tunneling patterns.
About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.
MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.
MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
