DNS (Domain Name System) is a service that converts hostnames to IP addresses. It is an application layer protocol that allows users and servers to exchange messages. Each host is identified by its IP address, but remembering numbers is extremely difficult for humans, and IP addresses are not static. As a result, DNS converts a site’s domain name to its numerical IP address.
DNS tunneling uses the DNS protocol to tunnel malware and exfiltrate the data.
Attackers set up a server on which malware is running and a domain that points to it. Using a server that has been infected with malware, the attacker searches for the attacker-controlled domain. The DNS resolver creates a tunnel between the attacker and their target when it routes the query, allowing them to obtain data, remotely control the host, or otherwise carry out the attack.
The below image shows the step-by-step working of DNS tunneling.
DNS tunneling is a mechanism that enables bad things to happen.
DNSCat2: This toolkit is divided into two sections, client and server. The large server can maintain connections with many customers, making it an essential C&C worker. It should be the first to run ahead of any of the customers. Encryption, sessions like Metasploit, and tunnels for TCP forwarding are just a few features. However, we may encounter issues with the toolkit, such as slow performance, limited sessions, and tunneling limitations.
Once DNScat2 installation is done, the server will run with the following command:
To establish a connection between the client and server, use the following command on the client machine:
One can also use Wireshark to verify that the session was successfully created. Port 53 plays a significant role in gaining a reverse shell because security devices rarely block it, and in scenarios where a system hosts more than one NIC card, traffic from both cards travels through a single DNS.
DNS protocol is based mainly on UDP. There’s no guarantee for the arrival of messages in the order they were sent. This is handled by DNS tunneling tools by either enforcing TCP communication over the DNS or sending constant ping messages between requests to assure the correct order. Applying these methods for integrity increases the rate of messages over the DNS protocol. Also, when a DNS tunneling tool is used for either web browsing or file transfer, the volume and length of messages will increase compared to normal DNS traffic behaviour.
Due to the latter, we expect the presence of DNS tunneling to cause a significant change in the DNS traffic with regards to (1) volume, (2) messages length, and (3) a shorter mean time between messages.
Once the connection is established, you will see a session on the server, as shown in the image below. You can use the command ‘sessions’ to see if a new session has been created.
We can now access the session and interact with many available options. This will create a new session two and interact with it, and we will have a traditional shell.
Payload analysis and traffic analysis are the two main methods for monitoring DNS and detecting attacks.
The contents of DNS requests and responses are examined in payload analysis. Suspicious activity can be detected using factors such as the size difference between the request and the response and unique hostnames.
To separate regular DNS traffic from malicious behaviour, traffic analysis uses information such as the number of requests, geographic locations, and domain history. Network detection and response, for example, uses machine learning to establish a baseline for what normal DNS behaviour looks like in any given environment, then sends out alerts when abnormal behaviour occurs, which could indicate an attack.
HIPS module in Quick Heal identifies and blocks malicious activities like DNS tunneling based on network rules & data exfiltration to protect our customers.
For all businesses, DNS is essential. Unfortunately, preventing DNS-based threats is a difficult task, and hackers are exploiting its inextricable but not entirely apparent exploitable surface. The techniques mentioned above will help detect and prevent DNS tunneling.