| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
DNS Abuse Detection: DNS tunneling - tunneling another protocol over DNS
Definition
DNS tunneling is the use of the DNS network protocols to encapsulate other protocols. Tunneling is a process in which the client encodes and sends requests and responses to a server that accepts DNS requests, which will translate or decode the DNS traffic and convert it to the target protocol. DNS tunneling can be used for command and control (“C2” or” C&C”) communication and as a functional equivalent of a Virtual Private Network.
DNS tunneling could be used for exfiltration and infiltration. Exfiltration and infiltration of information via the DNS has been separated into another section in order to address the different approaches in detection and prevention.
Advice
The monitoring infrastructure to detect DNS tunneling requires careful consideration. Detection can be challenging by just looking at the queries since DNS tunneling uses the DNS protocol. Without context, the use of DNS may appear to be a normal client sending DNS requests to a remote server, and receiving responses as normal. Use of encrypted DNS protocols such as DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) make detection more difficult.
The general approach for detecting DNS tunneling would be to look for suspicious behavior in patterns of network traffic. Such patterns include:
- An unusual number of DNS requests to a particular server and the corresponding responses. Especially suspicious is traffic that is directly between a client and a server outside of the organisational network: most of the time tunneling is indeed point to point;
- Regular and consistent packet sizes in queries and responses;
- Client- or server-supplied data elements, such as subdomains, hostnames, record type, or EDNS data, that match Base32 or Base64 encoding schemes;
Connecting directly to the remote server and attempting to send a normal DNS request can help verify whether it is an actual DNS server or not. Incorrect responses may show that it is not being used for normal DNS operations.
Examples
There are many open tools for setting up VPN tunnels using DNS. Network defenders should consider this a commonly accessible capability. Some examples of packages that can perform DNS tunneling are:
- https://github.com/iagox86/dnscat2 - creates encrypted channels over DNS that can be used for various purposes
- https://code.kryo.se/iodine/ - allow tunneling generic IP packets over DNS
- https://github.com/iagox86/dnscat2
- https://github.com/alex-sector/dns2tcp
- https://github.com/mosajjal/dnspot
- https://github.com/tladesignz/dnstt
Potential Resources
Some network forensics data sources to gather evidence on these patterns for detection include:
- DNS query logs
- IDS logs
- Firewall logs
- Inbound and outbound connection monitors
CISA wrote a really good guide on implementing enterprise DNS in order to detect and block DNS tunneling. https://www.cisa.gov/sites/default/files/2024-05/Encrypted%20DNS%20Implementation%20Guidance_508c.pdf
An excellent and very thorough paper on detecting DNS tunneling is recommended here: https://www.giac.org/paper/gcia/1116/detecting-dns-tunneling/108367
A description of DNS Tunneling and how it can be abused: DNS Tunneling: how DNS can be (ab)used by malicious actors (paloaltonetworks.com)
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice