Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

What is DNS Tunneling? A Detection Guide

Threat Detection

DNS tunneling illustration of a monitor and mask

DNS Tunneling turns DNS or Domain Name System into a hacking weapon. As we know, DNS is a giant White Pages or phone directory for the Internet. DNS also has a simple protocol to allow admins to query a DNS server’s database. So far, so good. Clever hackers realized that they could secretly communicate with a target computer by sneaking in commands and data into the DNS protocol. This idea is at the core of DNS Tunneling.

Want to learn more about the hacker mindset? Register for our Cyber Attack Webinar.

How DNS Tunneling Works

DNS tunneling illustration of the process

There’s a protocol for everything on the Internet, and DNS supports a fairly simple query-response protocol. If you want to see how it works, you can try accessing nslookup, the go-to tool to query DNS. You can look up an address just by entering the domain name, kind of like what I did below:

DNS tunneling screenshot of nslookup

Notice the protocol responded, in this case with the IP address of the domain. In the language of the DNS protocol, I made an address or “A” query. There are other queries you can make wherein the DNS protocol responds with various fields of data, which as we’ll soon see can be exploited by hackers.

Anyway, under the hood, the DNS protocol carries the query to the server, and the response back to the client. What if a hacker snuck a message into a DN query? For example, instead of typing a legitimate URL, they entered the data they wanted to exfiltrate, say like this:

DNS tunneling screenshot of how nslookups work

Suppose hackers were in control of the DNS server. Then they could scoop up the data— social security numbers, etc.—without necessarily being spotted. After all, why would a DNS request be anything other than legitimate?

With the hackers in control, they then fake responses and send data back to the target system. This would allow them to return messages hidden in various DNS response fields to the malware they loaded on the victim’s computer —  direct it to, say, search this folder, etc.

The “tunneling” part of this attack is about obscuring the data and commands to avoid detection by monitoring software. Hackers can use base32, base64 or other character sets, or even encrypt the data. This encoding would get past simple detection software that’s searching on plaintext patterns.

And that’s DNS tunneling!

DNS Tunneling Attack History

Everything has a beginning, including the idea of hijacking the DNS protocol for hacking purposes. As far as we can tell, the first discussion of this attack was from Oskar Pearson on the Bugtraq mailing list in April of 1998.

By 2004, it was being presented at Black Hat as a technique— see Dan Kaminsky’s presentation. So the idea moved very quickly to an actual attack method.

And today DNS tunneling is very much part of the threat-scape (and security bloggers are often asked to explain it.)

Have you heard about Sea Turtle? It’s an ongoing campaign by cyber gangs — likely state-sponsored — to hijack legitimate DNS servers so they can reroute DNS queries to their own servers. That means an organization would be receiving bad IP addresses pointing to spoofed web pages controlled by the hackers — say for Google or FedEx. The hackers can then harvest credentials as users unknowingly enter information into fake web pages. It’s not DNS tunneling, but just another evil consequence of hackers controlling the DNS server.

DNS Tunneling Threats

DNS tunneling threats illustration

DNS tunneling is a mechanism for enables bad things to happen. What kind of bad things? We’ve already suggested a few, but let’s list them out:

  • Data Exfiltration – Hackers sneak sensitive data out over DNS. It’s certainly not the most efficient way to get data from a victim’s computer— with all the extra overhead and encoding—but it can work and it’s stealthy!
  • Command and Control (C2) – Hackers use the DNS protocol to send simple commands to, say, a remote access trojan (RAT).
  • IP-Over-DNS Tunneling — This sounds crazy, but there are utilities that have implemented the IP stack on the DNS query-response protocol. That would make it relatively easy to transfer data using standard communications software like FTP, Netcat, ssh, etc. Powerfully evil!

DNS Tunneling Detection

DNS tunneling illustration of the ways to detect DNS tunneling

There are two general methods to detect DNS misuse: payload analysis and traffic analysis.

With payload analysis defenders are looking at unusual data being sent back and forth: strange-looking hostnames, a DNS record type that’s not used all that often, and unusual character sets that can be spotted by statistical techniques.

In a traffic analysis, defenders are looking at the number of requests to a DNS domain and comparing it against average usage. Hackers who are performing DNS tunneling will create very heavy traffic to the server. In theory, much greater than a normal DNS exchange. And that should be detectable!

DNS Tunneling Utilities

If you want to do your own pen testing to see how well your company can detect and respond, there are a few utilities available. All the ones below do IP-over-DNS:

  • Iodine – Available on many platforms (Linux, Mac OS, FreeBSD, and Windows). It lets you set up an SSH shell between the target and the route computer. Here’s a good tutorial on how to set up and use Iodine.
  • OzymanDNS – Dan Kaminsky’s DNS tunneling project written in Perl. You can SSH with it.
  • DNSCat2 – “A DNS tunnel that won’t make you sick”.  Creates an encrypted C2 channel to let you upload/download files, run a shell, etc.

DNS Monitoring Utilities

Below are some utilities that are useful for detecting tunneling attacks:

  • dnsHunter  – A Python module written for MercenaryHuntFramework & Mercenary-Linux. Reads .pcap files to extract DNS queries and performs geo-lookups, which helps in analyses.
  • reassemble_dns – A Python tool to read .pcap files and reassemble DNS messages.

DNS Tunneling Micro FAQ

Yummy information in FAQ format!

Q: What is Tunneling?

A:  It’s just a way to piggyback communications on an existing protocol. The underlying protocol carries a separate channel or tunnel, which is then used to hide the information that’s actually being sent.

Q: When Was the First DNS Tunneling Attack?

A:  We don’t know! If you do, please tell us. As far as we can tell, the first discussion of this attack was from Oskar Pearson on the Bugtraq mailing list in April of 1998.

Q: What Attacks are Similar to DNS Tunneling?

A: DNS is not the only protocol you can use for tunneling. For example, Command and Control (C2) malware often use HTTP as a way to hide communications. Just as with DNS tunneling, the hackers hide their data, but in this case, it’s made to look like browser traffic to a remote web site (controlled by the hackers). It can fly under the radar of monitoring software that’s not attuned to this threat of misusing HTTP for evil purposes.

Need some help in spotting DNS tunneling? Check out the Varonis Edge product and try a demo today!

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.