What is DNS Tunneling?
DNS is a service that records the IP address equivalent of internet addresses. In short, IP addresses are available for users (e.g. xxxxxx.comIt translates into easy-to-remember addresses such as ). For this reason, the widespread use of DNS has created a DNS attack technique for attackers.
Transferring data from one protocol to another is a tunneling process. By using DNS tunnel, we can tunnel to another protocol. For example, TCP/UDP packages within DNS packages can be transported to other protocols such as http, ssh, https, smtp by DNS tunneling. DNS tunneling is used in the same way for data leakage in IP traffic.
How Does DNS Tunnel Work?
DNS tunnel is used by attackers in a client-server relationship and uses the DNS protocol to tunnel data. The working principle of the DNS tunnel is as follows;
- First, the attacker creates a domain named testsite.com. This domain server opens a tunnel and directs the site to the attacker's server where the malware is located.
- DNS requests are always allowed to enter and exit through the firewall. For this reason, the attacker passes the malware through the firewall, allowing it to infect the victim computer. It also sends queries to the DNS resolver.
- The DNS resolver directs queries to the server the attacker used to tunnel. Thus, thanks to the DNS resolver, a connection is created between the attacker and the victim computer. Using this connection, the attacker can perform malicious operations such as data leakage and data stealing. However, since there is no direct connection between the attacker and the victim computer, it is very difficult to identify the attacker.
Detecting DNS Tunneling Attacks
- The DNS tunnel is used for malicious purposes such as information theft by attackers using domain names. Examining DNS requests against DNS tunnel status of organizations provides a solution to see anomalies in network traffic.
- DNS tunneling is successful only if the attacker reaches the target system's domain. When the organization encounters unusual requests to the DNS domain in its systems, it should take precautions as DNS tunneling may occur.
- During DNS tunneling, a lot of DNS requests are needed for the attacker to perform malware such as stealing data. Increases in DNS traffic appearing on the network indicate that DNS tunneling is occurring.
These anomalies detected in DNS tunnel situations may be harmless on their own. But multiple anomalies indicate that DNS tunneling is occurring.
Preventing DNS Tunneling Attacks
DNS tunneling is when attackers effectively use their malware through DNS queries. Therefore, we can detect and block attackers' malicious queries by monitoring them.
Special signatures such as snort and sigma are developed and used to control DNS queries when the DNS query is made and the attacker is preparing to perform DNS tunneling.
Advanced threat prevention systems are required to prevent data theft and malicious use of malware by blocking DNS tunneling. With solutions such as MDR and SIEM, you can detect anomalies in DNS traffic by examining the malicious software created by the attacker as well as the network traffic, and this is possible with threat intelligence.
Things to consider for effective DNS prevention:
-Identification and scenario of data theft attacks that may occur in case of DNS tunneling.
-Detecting domain creation (DGA) where domains are created by attackers.
-Identification of previously created domain names used in data theft
-Detecting DNS requests in suspicious situations by comparing them with previous malicious situations.
Programs for DNS Tunneling
- iodine: Iodine allows you to DNS tunnel IPv4 data using a DNS server. It works on systems such as Linux, Windows, Mac OS freeBSD.
- DeNiSe: It performs TCP tunneling over DNS using the Python language.
- Dns2tcp: It is written in C language. The client runs on Windows and Linux. It supports Key and TXT requests.
- DNScapy: This tool briefly performs SSH tunneling over DNS.
- DNScat: The DNScat2 tool is designed to create an encrypted C2 server over the DNS protocol.
- tcp-over-dns: It is a Java based server. It runs on operating systems such as Windows, Linux and Solaris. It supports TCP and UDP traffic tunneling and LZMA compression.
DNS Tunneling Implementation with IODINE
In the application shown in this section, we use the Ubuntu installed on the virtual machine as the client and our Kali Linux machine as the server.
First, iodine was installed in both media.
- apt-get install iodine
Running Iodine Tool on the Server;
When the following command is run, DNS query packets coming to the server can be listened to.
- iodined -fP password 10.0.0.1 tunnel.(domain name you specified).com
Here we specify a password for the packages with the -P parameter. The 10.0.0.1 IP in the command is the dns0 interface IP address to be given to the server.
Running the Iodine Tool on the Client;
- iodine -fP password Server_IP tunnel.testsite.com
With this command we wrote, the dns0 interface IP address of our client was assigned as 10.0.0.2.
A ping was performed to check whether successful communication was established between the client and the server.
Successfully pinged from the client environment to the server environment.
As can be seen here, the connection was established by successfully pinging the client from the server.
We see that an SSH connection can be established from the Server to the client with DNS Tunneling.