Danger Under Innocence: DNS Tunneling

Photo by Markus Spiske on Unsplash

1. Brief information about DNS Protocol

DNS is the protocol that converts human-readable domain names into IP addresses. It is one of the basic protocols used in Internet communication and therefore it is widely used. It consists of query and answer. Generally, an infrastructure has reliable DNS servers that redirect DNS queries to the respective Authoritative DNS server. These DNS servers are called Caching / Forwarding DNS servers and can be found in the service provider infrastructure or in organizations themselves. Gateways used by home users are also used as Forwarding DNS servers and generally forward DNS queries to the DNS servers specified in the configuration on them.

2. How DNS Can Be Abused?

DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS queries and responses. Basically it can be considered of misuse of DNS protocol and it creates a hidden communication channel to bypass the security layers of the organization. It has been around for almost 20 years.

How DNS tunneling works
Regular query/response
DNS Tunneling query/response

3. Demonstration Setup

As mentioned before, the attacker must have a domain name and Authoritative DNS server under the control. In addition, It requires a compromised client system where the DNS tunneling client application will run and a DNS server that works as Caching / Forwarding DNS for this system. According to the above mentioned needs, the following components will be used in the above topology (Figure 1).

  • c: Disable checking client IP
  • -P: Authentication password
  • -r: if not used, iodine will check the Iodined server is reachable or not. If its reachable, it forwards request directly without DNS relay.
  • -m: Forcing maximum fragment size. If it’s not used, iodine will automatically probe the maximum fragment size.
  • -M: Maximum length of upstream hostnames. Default is 255.
  • -T: Query type.
  • -I : Maximum interval between requests for keep-alives
IODINE server screen output
IODINE client screen output
IODINE query samples
DNSCat server usage
DNSCat client usage
DNSCat2 server usage after client connects
DNSCat sample queries

4. Conclusion

As you can see, DNS tunneling is extremely easy. This technique has also been used in sophisticated attacks in recent years. I recommend you to review the link below;

5. References

[1] RFC 1035, Domain Names — Implementation and Specification, P.Mockapetris, the Internet Society (November 1987)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store