DNS tunneling turns the domain name system into a hacker's weapon. DNS is essentially the Internet's huge phone book. DNS is also the underlying protocol that allows administrators to query the DNS server database. So far everything seems to be clear. But cunning hackers have realized that it is possible to communicate with the victim computer covertly by injecting control commands and data into the DNS protocol. This is the idea behind DNS tunneling.
How DNS tunneling works
There is a separate protocol for everything on the Internet. And DNS maintains a relatively simple request-response type. If you want to see how it works, you can run nslookup, the main DNS query tool. You can request an address by simply entering the domain name of interest, for example:
In our case, the protocol responded with a domain IP address. In terms of the DNS protocol, I made a request for an address or a so-called. "A"-type. There are other types of queries, and the DNS protocol will respond with a different set of data fields, which, as we will see later, can be used by hackers.
One way or another, at its core, the DNS protocol is about sending a request to the server and its response back to the client. What if an attacker adds a hidden message inside a domain name request? For example, instead of entering a perfectly legitimate URL, it will enter the data it wants to pass:
Suppose an attacker controls the DNS server. Then he can transmit data - for example, personal data - and will not necessarily be detected. After all, why would a DNS query suddenly become something illegitimate?
By controlling the server, hackers can forge responses and send data back to the target system. This allows them to pass messages hidden in various fields of the DNS response to the malware on the infected machine, with instructions such as searching inside a specific folder.
The "tunneling" part of this attack is data and commands from detection by monitoring systems. Hackers can use the base32, base64, etc. character sets, or even encrypt the data. Such encoding will pass unnoticed by simple threat detection utilities that search in plain text.
And that's what DNS tunneling is!
History of attacks through DNS tunneling
Everything has a beginning, including the idea of hijacking the DNS protocol for hacker purposes. As far as we can tell, the first such an attack was carried out by Oskar Pearson on the Bugtraq mailing list in April 1998.
By 2004, DNS tunneling was being introduced to Black Hat as a hacky technique in a presentation by Dan Kaminsky. Thus, the idea very quickly grew into a real attack tool.
Today, DNS tunneling occupies a strong position on the map (and security bloggers are often asked to explain it).
Have you heard about ? This is an ongoing campaign by cybercriminals - most likely state-sponsored - to take over legitimate DNS servers in order to redirect DNS requests to their own servers. This means that organizations will receive "bad" IP addresses pointing to fake web pages run by hackers, such as Google or FedEx. In this case, attackers will be able to get the accounts and passwords of users who unknowingly enter them on such fake sites. This is not DNS tunneling, but just another nasty consequence of hacker control of DNS servers.
DNS Tunneling Threats
DNS tunneling is like an indicator of the beginning of the bad news stage. Which ones? We have already talked about a few, but let's structure them:
- Data output (exfiltration) – a hacker covertly transfers critical data over DNS. This is definitely not the most efficient way to transfer information from the victim computer - considering all the costs and encodings - but it works, and at the same time - discreetly!
- Command and Control (C2 for short) - hackers use the DNS protocol to send simple control commands, say, via (Remote Access Trojan, RAT for short).
- Tunneling IP-Over-DNS - this may sound crazy, but there are utilities that implement an IP stack on top of the DNS protocol requests and responses. This makes data transfer using FTP, Netcat, ssh, etc. relatively simple task. Extremely sinister!
DNS Tunneling Detection
There are two main methods for detecting DNS abuse: load analysis and traffic analysis.
RџSЂRё load analysis the defending party looks for anomalies in the data sent back and forth that can be detected by statistical methods: strange-looking hostnames, a type of DNS record that is not used as often, or a non-standard encoding.
RџSЂRё traffic analysis the number of DNS requests to each domain is estimated in comparison with the average level. Attackers using DNS tunneling will generate a lot of traffic to the server. In theory, far superior to normal DNS messaging. And it needs to be tracked!
DNS Tunneling Utilities
If you want to conduct your own penetration test and see how well your company can detect and respond to such activity, there are several utilities for this. All of them can tunnel in mode IP over DNS:
- – available on many platforms (Linux, Mac OS, FreeBSD and Windows). Allows you to install an SSH shell between the target and control computer. Here's a good one on setting up and using Iodine.
- is the DNS tunneling project by Dan Kaminsky, written in Perl. You can connect with it via SSH.
- "A DNS tunnel that doesn't make you sick." Creates an encrypted C2 channel for uploading/downloading files, launching shells, etc.
DNS Monitoring Utilities
Below is a list of several utilities that will be useful for detecting tunneling attacks:
- - Python module written for MercenaryHuntFramework and Mercenary-Linux. Reads .pcap files, extracts DNS queries, and performs geolocation matching to aid in analysis.
- is a Python utility that reads .pcap files and parses DNS messages.
Micro FAQ on DNS Tunneling
Useful information in the form of questions and answers!
Q: What is tunneling?
A: It's just a way to transfer data over an existing protocol. The underlying protocol provides a dedicated channel or tunnel, which is then used to hide the information that is actually being transmitted.
Q: When was the first DNS tunneling attack carried out?
A: We do not know! If you know, please let us know. To the best of our knowledge, the first discussion of the attack was initiated by Oscar Pearsan on the Bugtraq mailing list in April 1998.
Q: What attacks are similar to DNS tunneling?
A: DNS is far from the only protocol that can be used for tunneling. For example, command and control (C2) malware often uses HTTP to mask the communication channel. As with DNS tunneling, the hacker hides his data, but in this case it looks like traffic from a regular web browser accessing a remote site (controlled by the attacker). This may go unnoticed by monitoring programs if they are not configured to perceive abuse of the HTTP protocol for hacker purposes.
Would you like us to help you with DNS Tunneling detection? Check out our module and try free !
Source: habr.com