DNS is the backbone of the internet, serving as the directory that translates human-readable domain names into machine-readable IP addresses. It plays a crucial role in connecting users to websites, applications, and services across the globe. Without DNS, navigating the internet would be a daunting task of remembering long strings of numbers.
DNS (Domain Name Server) translates FQDNs (Fully Qualified Domain Names) into IP addresses. It is not meant for data transfer, so many organizations don't monitor DNS traffic. However, it is possible to hide data in the DNS protocol. This is called DNS tunneling and is used by hackers to avoid firewalls, bypass captive portals, download malware or exfiltrate stolen data.
To execute this attack, hackers need a domain. The nameserver of this domain will forward DNS requests to a server, which is equipped with the DNS tunneling server utility. A victim machine will use the DNS tunneling client utility to send specially crafted DNS requests to the attacker's server. Specifically, the hostname part of the DNS request contains encoded data, which the server utility can read and decode. This way, the DNS tunneling tool allows data transmission between the client and the server via DNS requests.
1) iodine: Tool for tunneling IPv4 data, which creates a network with all its clients. This means that computers can interact and access all UDP/TCP ports. The tunneled data is not encrypted, although the latter can be remedied by setting up an SSH shell between the computers. Iodine is the tool that is used in this module for DNS tunneling.
2) dnscat2: This tool focuses on command and control via an encrypted channel.
.
1) A basic and straightforward way to detect DNS tunneling is to look at the amount of DNS traffic generated by a specific client IP address. Due to the DNS protocol, tunneled data is typically limited to only 512 bytes per request. Therefore, a large amount of proposals is required for communication. Additionally, if the client is polling the server, it will create requests continuously.
2) Another indicator of DNS tunneling is the existence of long DNS queries. The maximum length of a standard UDP DNS query is 512 bytes. Because DNS tunneling tools want to get the total bandwidth possible, they usually create long DNS queries.
While the amount of DNS requests and the size of the requests are the most precise indicators, there are others. Some notable examples are:
DNS tunneling techniques send data in the subdomain part of a DNS query. Therefore, if you look at how many unique subdomains have been queried per domain, then you should find that fields, which support DNS tunneling, have queries made to a considerable number of individual subdomains.
Some intrusion detection systems (IDSs), like Snort, can signature-based detection of DNS tunneling utilities. If a rule has been created for a DNS tunneling protocol, then it is possible to detect the DNS tunneling.
One approach is to look for what we expect to see but is missing. Usually, a DNS request is followed by another submission. For example, a DNS request to facebook.com could be followed by an HTTP request to the same domain. If there is an abundance of DNS requests without subsequent requests to the same field, that can indicate compromise.
As technology evolves, so do the techniques employed by cybercriminals. It is essential to stay informed about the latest developments in DNS tunneling and other emerging threats. By staying proactive and continuously adapting your security strategies, you can safeguard your network infrastructure and protect your valuable data.
The best articles, links, and news delivered once a week to your inbox.