What is DNS tunneling?

22 November 2019

EfficientIP

DNS tunneling is a non standard solution to exchange data using the DNS protocol. It can be used to extract data silently or to establish a communication channel with an external malicious server in the case of a Command and Control (C&C) exchange.

The DNS protocol is transactional and bi-dirctional, a client asks for a resolution and an answer is provided by one of the elements of the DNS hierarchy (recursive or authoritative server). Since this protocol is part of the network infrastructure it is not supervised in the same manner as an application transport protocol like HTTP for web browsing or SMTP for mail transfer. Therefore cybercriminals are able to use this transactional protocol to exchange application data rather than to simply resolve name (FQDN) in IP address.

DNS tunneling uses standard DNS transactions (e.g. getting the IP address associated with an FQDN) to exchange information with a malicious server acting as the DNS authoritative server for the specific DNS zone. A typical simplified flow would be the following:

  • Client requests a TXT record on a specific FQDN (command.malicious.me) to get the next action to perform
  • The DNS malicious server answers with the action to perform
  • The client gets the action from the TXT record and performs the action (e.g. cat /etc/passwd)
  • Result is compressed, encoded and split into small strings that will be used as the prefix to subsequent DNS requests on the same domain
  • DNS queries are sent to resolve these forged FQDNs, knowing that the answer is non-existent, the purpose is only to send back the result to the DNS fake server:
    • h4siaibwb.result.malicious.me
    • 0uca3nmyc3.result.malicious.me
    • myywukuos.result.malicious.me
    • ss0tkrbssj.result.malicious.me
  • The fake DNS server receives the requests and rebuilds the message by applying the inverse recipe (decode, uncompress…)

DNS tunneling can be used by a single user willing to establish a 2-way communication with the outside of the trusted zone, using his server to act as a DNS server on one side (outside) and a specific DNS-modified client on the other side (inside). DNS tunneling is also mainly used by command and control server to pilot the next action for multiple instances of their malware installed on infected devices, for example to perform a distributed denial of service attack against a web site.

Many implementations are available to build simple dns tunnels, both for the server side and the client side. Here is a small subset:

  • DeNiSe is an old proof of concept dns tunneling client/server written in python
  • DNScapy allows creation of an SSH tunnel over DNS
  • iodine allows creation of an IP tunnel between client and server, this could be used to get an Internet connexion where only DNS is authorized
  • dnscat2 is specialized in command and control activities, written in C for the client side it compiles on most modern systems, uses encryption and some features to add resiliency on the UDP transport protocol