Intro
DNS Tunneling represents a threat often operating under the radar of traditional defense measures. By leveraging a fundamental protocol of the internet, Domain Name System (DNS), this technique allows threat actors to exfiltrate data or establish command and control (C2) channels, often leaving IT security teams none the wiser.
What is DNS Tunneling?
DNS tunneling is a technique that uses the DNS protocol to encapsulate and transfer non-DNS traffic via DNS queries and responses. It is primarily associated with malicious activities and, among these, are data exfiltration and command and control (C2) communications, which enable attackers to exert remote control over compromised systems.
The restrictions imposed by RFC specifications typically necessitate the use of encoding to transmit data that is incompatible with the DNS character set. This could include binary data, such as files or images, or text that includes special characters. There are several encoding methods available, but Base64 is a frequent choice for DNS tunneling because it has the ability to represent binary data in the form of an ASCII string. Custom obfuscation or encoding, however, is often used by advanced attackers as a means to obfuscate what is actually happening.
The variation in the number of DNS requests required to exfiltrate data can depend on several factors like the size of the payload in each request, the method of encoding used, and the additional overheads associated with different DNS protocols and extensions.
Detecting DNS Tunneling
To provide a clearer understanding of this technique, it generally takes thousands of requests just to retrieve a modest MB-sized file. This is the reason why tracking DNS request counts and their frequency can be used to identify suspicious activities with a high rate of success. To delve deeper, consider evaluating your data using statistical methods, like deviations from the mean, that help highlight instances of large volume requests with extended subdomain lengths, sorted by source IP address.
z_score = (long_unique_subdomain_count - avg_subdomain_length) / stdev_subdomain_length
The PowerShell script below can be used to produce traffic that simulates the behavior of DNS tunneling. This will allow you to test your rules, or generate logs that can be used to develop rules based on this data.
# This script creates log outputs that mimic DNS tunneling behavior, providing a useful resource for testing and enhancing your detection rules across all of your security tools
param (
[string]$Domain = "example.com",
[int]$NumberOfRequests = 1000,
[double]$Jitter = 0.9,
[double]$Delay = 0.1
)
function Send-DnsRequest {
param (
[string]$Domain,
[string]$Type
)
try {
Resolve-DnsName -Name $Domain -Type $Type -ErrorAction Stop | Out-Null
}
catch {
# These error messages will be normal if you run as is
Write-Warning "Error: $_"
}
}
# Array of DNS record types to use
$RecordTypes = @("TXT", "NULL")
for ($i = 1; $i -le $NumberOfRequests; $i++) {
$TargetDomain = $Domain
# The number of subdomains should range from 1 to 6
$NumSubdomains = Get-Random -Minimum 1 -Maximum 6
for ($j = 0; $j -lt $NumSubdomains; $j++) {
# Each subdomain can be from 25 to 63 characters long to mimic tunneling
$SubdomainLength = Get-Random -Minimum 25 -Maximum 63
$Subdomain = -join ((48..57) + (65..90) + (97..122) + 45 | Get-Random -Count $SubdomainLength | ForEach-Object { [char]$_ })
$TempDomain = "$Subdomain.$TargetDomain"
if ($TempDomain.Length -gt 253) { break }
$TargetDomain = $TempDomain
}
# Randomly select a DNS record type
$RecordType = $RecordTypes | Get-Random
echo "Sending request to $TargetDomain with record type $RecordType"
Send-DnsRequest -Domain $TargetDomain -Type $RecordType
$EffectiveDelay = Get-Random -Minimum ($Delay - $Jitter) -Maximum ($Delay + $Jitter)
Start-Sleep -Seconds $EffectiveDelay
}
Conclusion
Monitoring DNS is crucial to detect DNS tunneling among other attacks. It’s advisable to employ statistical approaches and analyze the frequency or count of requests to pinpoint suspicious activity for your environment. DNS is often exploited to bypass various security measures due to the typically lax restrictions and monitoring regarding its use.