What is DNS Tunneling? Detection instruction

5 min

DNS tunneling turns the domain name system into a hacker’s weapon. DNS is essentially the huge phone book of the Internet. DNS is also the underlying protocol that allows administrators to query the DNS server database. So far, everything seems to be clear. But the cunning hackers realized that it was possible to covertly communicate with the victim computer by injecting control commands and data into the DNS protocol. This idea is at the heart of DNS tunneling.

How DNS Tunneling Works

Everything on the Internet has its own separate protocol. And DNS maintains a relatively simple protocol type request-response. If you want to see how it works, you can run nslookup, the main tool for submitting DNS queries. You can request an address simply by entering the domain name of interest, for example:

In our case, the protocol responded with the domain’s IP address. In terms of the DNS protocol, I made an address request or a so-called. “A” -type. There are other types of queries, and the DNS protocol will respond with a different set of data fields that, as we will see later, can be exploited by hackers.

One way or another, at its core, the DNS protocol is about passing a request to the server and its response back to the client. What if an attacker adds a buried message inside the domain name request? For example, instead of entering a completely legitimate URL, he will enter the data he wants to transfer:

Let’s say an attacker is controlling a DNS server. Then it can transmit data – for example, personal data – and not necessarily be detected. After all, why would a DNS request become something illegitimate?

By controlling the server, hackers can fake responses and send data back to the target system. This allows them to pass messages hidden in various fields of the DNS response to malware on the infected machine, with instructions like searching within a specific folder.

The “tunneling” part of this attack is concealment data and commands from detection by monitoring systems. Hackers can use the base32, base64, etc. character sets, or even encrypt data. This encoding will go unnoticed by simple threat detection utilities that search through plaintext.

And that’s DNS tunneling!

History of DNS Tunneling Attacks

Everything has a beginning, including the idea of ​​hijacking the DNS protocol for hacking purposes. As far as we can tell, the first discussion such an attack was carried out by Oskar Pearson on the Bugtraq mailing list in April 1998.

By 2004, DNS tunneling was being introduced to Black Hat as a hacking technique in a presentation by Dan Kaminsky. Thus, the idea very quickly grew into a real attack tool.

Today DNS tunneling takes a strong position on the map potential threats (and security bloggers are often asked to explain).

Have you heard about Sea turtle ? This is an ongoing campaign of cybercriminal groups – most likely sponsored by the state – to hijack legitimate DNS servers in order to redirect DNS queries to their own servers. This means that organizations will receive “bad” IP addresses that point to fake web pages run by hackers such as Google or FedEx. At the same time, attackers will be able to get the accounts and passwords of users who will unknowingly enter them on such fake sites. This is not DNS tunneling, but just another nasty consequence of hackers’ control of DNS servers.

DNS Tunneling Threats

DNS tunneling is like an indicator of the beginning of the bad news stage. Which ones? We’ve already covered a few, but let’s structure them:

  • Data output (exfiltration) – a hacker secretly transfers critical data over DNS. This is definitely not the most efficient way to transfer information from the victim’s computer – taking into account all costs and encodings – but it works, and at the same time – stealthily!
  • Command and Control (C2 for short) – hackers use the DNS protocol to send simple control commands, say through remote access trojan (Remote Access Trojan, abbreviated RAT).
  • IP-Over-DNS Tunneling – it may sound crazy, but there are utilities that implement the IP stack on top of DNS requests and responses. It does data transfer using FTP, Netcat, ssh, etc. a relatively simple exercise. Extremely ominous!

Identifying DNS Tunneling

There are two main methods for detecting DNS abuse: load analysis and traffic analysis.

When load analysis the defending side looks for anomalies in the data transmitted in both directions, which can be detected by statistical methods: strange-looking host names, a type of DNS record that is not used so often, or a non-standard encoding.

When traffic analysis the number of DNS queries to each domain is estimated compared to the average. Attackers using DNS tunneling will generate a large amount of traffic to the server. In theory, vastly superior to normal DNS messaging. And this must be monitored!

DNS Tunneling Utilities

If you want to conduct your own penetration test and check how well your company can detect and respond to such activity, then there are several utilities for this. They all know how to tunnel in the mode IP-Over-DNS:

  • Iodine – available on many platforms (Linux, Mac OS, FreeBSD and Windows). Allows you to set up an SSH shell between the target and the host computer. Here’s a good one guide on setting up and using Iodine.
  • OzymanDNS Is a DNS tunneling project by Dan Kaminsky written in Perl. You can connect with it via SSH.
  • DNSCat2 – “DNS tunnel that doesn’t feel sick.” Creates an encrypted C2 channel for sending / downloading files, launching shells, etc.

DNS monitoring utilities

Below is a list of several utilities that will be useful for detecting tunneling attacks:

  • dnsHunter – Python module written for MercenaryHuntFramework and Mercenary-Linux. Reads .pcap files, extracts DNS lookups, and performs geolocation matching to aid in analysis.
  • reassemble_dns Is a Python utility that reads .pcap files and parses DNS messages.

DNS Tunneling Micro FAQ

The most useful information in the form of questions and answers!

Q: What is tunneling?
ABOUT: It’s just a way to transfer data over an existing protocol. The underlying protocol provides a dedicated channel or tunnel, which is then used to hide the information that is actually being transmitted.

Q: When was the first DNS tunneling attack carried out?
ABOUT: We do not know! If you know – please let us know. As far as we know, the first discussion of the attack was initiated by Oscar Pearsan on the Bugtraq mailing list in April 1998.

Q: What attacks are similar to DNS tunneling?
ABOUT: DNS is far from the only protocol that can be used for tunneling. For example, command and control (C2) malware often uses HTTP to mask the communication channel. As with DNS tunneling, the hacker hides his data, but in this case it looks like the traffic of a regular web browser accessing a remote site (controlled by the attacker). This can go unnoticed by monitoring programs if they are not configured to perceive threat abuse of the HTTP protocol for hacking purposes.

Would you like us to help with DNS tunneling detection? Check out our module Varonis edge and try free demo!


Leave a Reply