How DNS tunneling can be used for data exfiltration? And how can be detected?

DNS Tunneling is a technique that encodes data of other programs or protocols in DNS queries, including data payloads that can be added to an attacked DNS server and used to control a remote server and applications.

DNS tunneling was originally designed as a simple way to bypass the captive portals and gain free access to internet in restricted networks.
But recently it is often used for nefarious purposes such as a method of command and control and/or data exfiltration.

Typically, this technique requires the compromised system to have external network connectivity, and attacker must also control a domain and a server that can act as an authoritative server.


How can it be used for data exfiltration?

DNS is rarely monitored and analyzed so attackers can use tunneling in order to remote access to compromized assets without trigger any security event.

Here is the usual sequence of activities:

  • A client sends a request for a particular host name in a domain, with the payload (request or response) to the server encoded in the hostname being requested.
  • The server responds with its data in the fields of the response. DNS allows hostnames of up to 255 characters, with a limitation of 63 chars per label and is in the form: label3.label2.label1.example.com

So, splitting all traffic into this little slices, an attacker is able to transfer data without being noticed.

https://www.youtube.com/watch?v=UVYnVELzJk4


DNS Tunneling Tools

DNS Tunneling tools can be divided into two classes, depending on the abstraction layer at which the information is encapsulated.

The main part of DNS tunneling tools is aimed at building IP over DNS tunnels, namely encapsulating IP packets inside DNS queries.

NSTX

One of the first tool to realize IP over DNS.
Tunnels are realized on tun0 interface and replies are encoded into TXT records.

DNSCat2

Consists of two small programs, a server and client, written in Ruby.
The tunnel is made through local ports and data in replies are encapsulated in the CNAME record.

Iodine

It uses either Base32 or a noncompliant Base64 encoding to encode the data, and replies are sent using NULL records (RFC 1035, section 3.3.10).
Iodine splits IP packets into several DNS packets and send them separately. IP packets are resembled at the endpoint.

TUNS

It works exclusively on UNIX-like systems and encapsulates data in CNAME field.
It does not split IP packets in smaller DNS packets, polling periodically the rogue server with short queries.

In TCP over DNS tunnels, only packets that use TCP as transport protocol are encapsulated in the tunnel.

Dns2TCP

A tool able to encapsulate TCP packets over DNS tunnels, composed by a server-side and a client-side part. The server has a list of resources, services listening for TCP connection. The client listens on a predefined TCP port and relays each incoming connection to the final service using DNS. Information are encapsulated in the TXT field.

Heyoka

Heyoka comes as a single executable that can run in two modes: master and slave. The master acts as a server and will listen on a local port.
The slave acts as a client and will forward one of its ports through the tunnel and allow the attacker access to it by connecting to local port on the master machine.
The tool is not under active development anymore and according to its authors.

OzymanDNS 

A set of Perl scripts (open source) written by Dan Kaminsky in 2005. It was written as a sample implementation of a DNS Tunnel for the Blackhat Europe 2005 conference. So there exists only a 0.1 version.


How can be detected?

According this SANS's paper (by Greg Farnham), there are essentially two detection methods.

  1. Payload analysis, focused on domain names used in the malicious queries: using specific signatures and statistical methods it is possible to detect anomalous DNS traffic.
  2. Traffic analysis: looking at multiple requests/response pairs over time and checking the amount and frequency of requests for a single domain it is possible to spot DNS tunneling activities.


References and further readings