DNS tunneling techniques in cyberattacks

How DNS tunneling can be used for data exfiltration? And how can be detected?

DNS Tunneling is a technique that encodes data of other programs or protocols in DNS queries, including data payloads that can be added to an attacked DNS server and used to control a remote server and applications.

DNS tunneling was originally designed as a simple way to bypass the captive portals and gain free access to internet in restricted networks.
But recently it is often used for nefarious purposes such as a method of command and control and/or data exfiltration.

Typically, this technique requires the compromised system to have external network connectivity, and attacker must also control a domain and a server that can act as an authoritative server.

How can it be used for data exfiltration?

DNS is rarely monitored and analyzed so attackers can use tunneling in order to remote access to compromized assets without trigger any security event.

Here is the usual sequence of activities:

  • A client sends a request for a particular host name in a domain, with the payload (request or response) to the server encoded in the hostname being requested.
  • The server responds with its data in the fields of the response. DNS allows hostnames of up to 255 characters, with a limitation of 63 chars per label and is in the form: label3.label2.label1.example.com

So, splitting all traffic into this little slices, an attacker is able to transfer data without being noticed.

DNS Tunneling Tools

DNS Tunneling tools can be divided into two classes, depending on the abstraction layer at which the information is encapsulated.

The main part of DNS tunneling tools is aimed at building IP over DNS tunnels, namely encapsulating IP packets inside DNS queries.


One of the first tool to realize IP over DNS.
Tunnels are realized on tun0 interface and replies are encoded into TXT records.


Consists of two small programs, a server and client, written in Ruby.
The tunnel is made through local ports and data in replies are encapsulated in the CNAME record.


It uses either Base32 or a noncompliant Base64 encoding to encode the data, and replies are sent using NULL records (RFC 1035, section 3.3.10).
Iodine splits IP packets into several DNS packets and send them separately. IP packets are resembled at the endpoint.


It works exclusively on UNIX-like systems and encapsulates data in CNAME field.
It does not split IP packets in smaller DNS packets, polling periodically the rogue server with short queries.

In TCP over DNS tunnels, only packets that use TCP as transport protocol are encapsulated in the tunnel.


A tool able to encapsulate TCP packets over DNS tunnels, composed by a server-side and a client-side part. The server has a list of resources, services listening for TCP connection. The client listens on a predefined TCP port and relays each incoming connection to the final service using DNS. Information are encapsulated in the TXT field.


Heyoka comes as a single executable that can run in two modes: master and slave. The master acts as a server and will listen on a local port.
The slave acts as a client and will forward one of its ports through the tunnel and allow the attacker access to it by connecting to local port on the master machine.
The tool is not under active development anymore and according to its authors.


A set of Perl scripts (open source) written by Dan Kaminsky in 2005. It was written as a sample implementation of a DNS Tunnel for the Blackhat Europe 2005 conference. So there exists only a 0.1 version.

How can be detected?

According this SANS’s paper (by Greg Farnham), there are essentially two detection methods.

  1. Payload analysis, focused on domain names used in the malicious queries: using specific signatures and statistical methods it is possible to detect anomalous DNS traffic.
  2. Traffic analysis: looking at multiple requests/response pairs over time and checking the amount and frequency of requests for a single domain it is possible to spot DNS tunneling activities.

References and further readings

Some thoughts about Lateral Movement techniques

The ability to quickly and reliably detect lateral movement in the network is one of the most important skills in information security today: the lateral movement attack phase represents the biggest difference between a targeted and strategic attacks and a simplistic hit-and-run attack.

What is lateral movement?

Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data, and usually is the second step of an cyberattack.

Once the attacker gain access to a vulnerable server on a network, he applies this set of techniques in order to gather information from systems on the target network, gain access and control them.

Movement across a network from one system to another may be necessary to achieve an adversary’s goals, such us execution of tools, pivoting to additional systems, access to specific information or files or access to additional credentials.

Video by Raphael Mudge

The lateral movement can be performed using specific tools, but adversaries may also reduce their footprint on the network by using legitimate credentials alongside inherent network and operating system functionality to remotely connect to systems.

Lateral movement techniques

Windows Remote Management

Windows Remote Management (WinRM) is a set of services and a protocols that allows a user to interact with a remote system:

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.

It may be called with the winrm command or by any number of programs such as PowerShell.

Windows Admin Shares

Windows systems have hidden network shares that are accessible only to administrators (for example C$, ADMIN$, and IPC$) and provide the ability for remote file copy and other administrative functions.

An attacker may use administrator-level Valid Accounts to remotely access a networked system over SMB in order to interact with systems using RPC, transfer files, and run transferred binaries through remote Execution.

Distributed Component Object Model

Windows DCOM is transparent middleware that extends the functionality of Component Object Model (COM) on remote systems using remote procedure call.
COM is a component of the Windows API that enables interaction between software objects: through COM, a client object can call methods of server objects, which are typically DLL libraries or executables.

DCOM may be used for lateral movement: using users with high privileges, and attacker can remotely obtain shellcode execution through Office applications as well as other Windows objects that contain insecure methods, or execute macros in existing documents.
Further, also DDE execution can be directly invoked through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.

Exploitation of vulnerable services

Attackers may takes advantage of a programming error in a program, service, or within the operating system software or kernel itself, in order to remote execute code.

First an adversary may need to determine if the remote system is in a vulnerable state, which may be done through network service scanning or other discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation.

Third-party Software

Third-party applications (such as SCCM, VNC, psexec) may be in use on specific systems in the network environment for administration purposes. If an adversary gains access to these systems, then they may be able to execute code.
The permissions required for this action vary by system configuration: usually specific domain credentials (or administrative accounts) may be required.

Infected shared content

Content stored on network shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files: once a user opens the shared tainted content, the malicious portion can be executed to run the adversary’s code on a remote system.

For example, an attacker could modifiy a shortcut file (.LNK), inserting an embedded command that executes an hidden script or a malware file in the directory, and then opens the real intended file so that the user’s expected action still occurs. When applied on frequently used network shares, the technique may result in frequent reinfections, allowing attacker to gain also a ‘distributed’ persistence.

This technique is applicable also on removable media.

Replication through removable redia

Malicious programs may move also onto systems disconnected or air-gapped systems, by copying a coy of itself to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.

In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.

Webshells and remote access tools on shared webroot

Adversaries may add malicious content, like a webshell, to an internally accessible website through an open network file share that contains the website’s webroot or Web content directory.
The malicious script will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.

SSH Hijacking

Secure Shell is often used for remote access on Linux and Mac systems.
It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

Attackers may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system, compromising the SSH agent or by having access to the agent’s socket.

Remote services access with valid network credentials

Remote desktop is a common feature in operating systems that allows a user to log into an interactive session with a system desktop graphical user interface on a remote system: an attacker may connect to a remote system over RDP to expand access if the service is enabled and allows access to accounts with known credentials.

With same credentials attacker may copy from one system to another to stage adversary tools or other files over the course of an operation.
Files may be copied from an external adversary-controlled system through the

Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

Finally, an adversary may use valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC, then performing actions as the logged user.

Remote authentication with Pass the Hash and Pass the Ticket techniques

Pass the hash is a method of authenticating as a user without having access to the user’s cleartext password.

This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash captured on a compromized system.

Pass the ticket uses Kerberos tickets without having access to an account’s password.
In this technique, valid Kerberos tickets for Valid Accounts are captured by a credential dumping.

I’ll write soon a post with a more extensive description of Pass The Ticklet technique and Kerberos tickets.

AppleScript and IPC (OSX)

OSX applications send AppleEvent messages to each other for interprocess communications (IPC).

These messages can be easily scripted with AppleScript for local or remote IPC and AppleEvent messages can be sent independently or as part of a script, allowing to locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

So, an attacker can use this technique in order to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes.
Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell developed with other languages.


References and additional readings