DNS tunneling turns the domain name system into a hacker's weapon. DNS is essentially the huge phone book of the Internet. DNS is also the underlying protocol that allows administrators to query the DNS server database. So far, everything seems to be clear. But the cunning hackers realized that it was possible to covertly communicate with the victim computer by injecting control commands and data into the DNS protocol. This idea is at the heart of DNS tunneling.
How DNS Tunneling Works
Everything on the Internet has its own separate protocol. And DNS supports a relatively simple challenge-response protocol . If you want to see how it works, you can run nslookup, the main tool for submitting DNS queries. You can request an address by simply specifying the domain name of interest, for example:
In our case, the protocol responded with the domain's IP address. In terms of the DNS protocol, I made an address request or a so-called. "A" -type. There are other types of queries, and the DNS protocol will respond with a different set of data fields that, as we will see later, can be exploited by hackers.
One way or another, at its core, the DNS protocol is concerned with passing a request to the server and its response back to the client. What if an attacker adds a hidden message inside the domain name request? For example, instead of entering a completely legitimate URL, he will enter the data he wants to transfer:
Suppose an attacker controls the DNS server. Then it can transmit data - for example, personal data - and not necessarily be discovered. After all, why would a DNS request become something illegitimate?
By controlling the server, hackers can spoof responses and send data back to the target system. This allows them to pass messages hidden in various fields of the DNS response to malware on the infected machine, with instructions like searching within a specific folder.
The "tunneling" part of this attack is to hide data and commands from detection by monitoring systems. Hackers can use the base32, base64, etc. character sets, or even encrypt data. Such encoding will go unnoticed by simple threat detection utilities that search through plaintext.
And that's DNS tunneling!
History of DNS Tunneling Attacks
Everything has a beginning, including the idea of hijacking the DNS protocol for hacking purposes. As far as we can tell, the first discussion of such an attack was conducted by Oskar Pearson on the Bugtraq mailing list in April 1998.
By 2004, DNS tunneling was being introduced to Black Hat as a hacking technique in a presentation by Dan Kaminsky. Thus, the idea very quickly grew into a real attack tool.
Today, DNS tunneling takes a strong position on the map of potential threats (and security bloggers are often asked to explain it).
Have you heard of Sea Turtle? This is an ongoing campaign by cybercriminal groups - most likely government sponsored - to hijack legitimate DNS servers in order to redirect DNS requests to their own servers. This means that organizations will receive “bad” IP addresses that point to fake web pages run by hackers such as Google or FedEx. At the same time, attackers will be able to get the accounts and passwords of users that they unknowingly enter them on such fake sites. This is not DNS tunneling, but just another nasty consequence of hacker control of DNS servers.
DNS Tunneling Threats
DNS tunneling is like an indicator of the beginning of the bad news stage. Which ones? We've already covered a few, but let's structure them:
- () – DNS. - — — , – !
- (Command and Control, C2) – DNS- , , (Remote Access Trojan, RAT).
- IP-Over-DNS – , , IP- DNS-. FTP, Netcat, ssh .. . !
DNS-
There are two main methods for detecting DNS abuse: load analysis and traffic analysis.
When analyzing the load, the defender looks for anomalies in the data transmitted in both directions, which can be detected by statistical methods: strange-looking host names, a type of DNS record that is not used so often, or a non-standard encoding.
When analyzing traffic is estimated the number of DNS queries to each domain, compared to the average level. Attackers using DNS tunneling will generate a large amount of traffic to the server. In theory, vastly superior to normal DNS messaging. And this must be monitored!
DNS Tunneling Utilities
If you want to conduct your own penetration test and check how well your company can detect and respond to such activity, then there are several utilities for this. All of them are able to tunnel in IP-Over-DNS mode :
- Iodine - Available on many platforms (Linux, Mac OS, FreeBSD and Windows). Allows you to install an SSH shell between the target and the host computer. Here's a good guide to setting up and using your Iodine.
- OzymanDNS is a DNS tunneling project by Dan Kaminsky written in Perl. You can connect with it via SSH.
- DNSCat2 - "Don't get sick of a DNS tunnel." Creates an encrypted C2 channel for sending / downloading files, launching shells, etc.
DNS monitoring utilities
Below is a list of several utilities that will be useful for detecting tunneling attacks:
- dnsHunter is a Python module written for MercenaryHuntFramework and Mercenary-Linux. Reads .pcap files, extracts DNS lookups, and performs geolocation matching to aid analysis.
- reassemble_dns is a Python utility that reads .pcap files and parses DNS messages.
DNS Tunneling Micro FAQ
The most useful information in the form of questions and answers!
Q: What is tunneling?
A: It's just a way to transfer data over the existing protocol. The underlying protocol provides a dedicated channel or tunnel, which is then used to hide the information that is actually transmitted.
Q: When was the first DNS tunneling attack carried out?
A: We don't know! If you know - please let us know. As far as we know, the first discussion of the attack was initiated by Oscar Pearsan on the Bugtraq mailing list in April 1998.
Q: What attacks are similar to DNS tunneling?
ABOUT:DNS is far from the only protocol that can be used for tunneling. For example, command and control (C2) malware often uses HTTP to mask the communication channel. As with DNS tunneling, the hacker hides his data, but in this case it looks like the traffic of a regular web browser accessing a remote site (controlled by the attacker). This can go unnoticed by monitoring programs if they are not configured to perceive the threat of hacking the HTTP protocol.
Want us to help with DNS tunneling detection? Check out our Varonis Edge module and try a free demo !