DNS Tunneling Attack

"DNS was never intended to transfer the data but malicious users has been using it for such purpose for years now."

Domain Name System (DNS) protocol is used by different types of services like web browsing, active directory etc. to transform IP addresses into readable form and vice versa. Users can input domain names in the browser (like google.com) and DNS will resolve this name to an IP address. This is the mechanism by which the computer knows which ip address to communicate to get the data.

For communication, DNS uses both UDP and TCP on port 53. For any payload over 512 bytes and for zone transer TCP will be used.

DNS Working

When a user wants to access www.google.com, computer will first query its local DNS server. If no result found, it will then query its configured upstream DNS server. The user's ISP, their company, or another public DNS service may operate as upstream DNS server. The upstream DNS server will check its local cache for the answer. If no answer is received, it will then query the root DNS servers or another upstream DNS server if configured. The root DNS servers will then direct the querying DNS server to the appropriate top level domain (TLD) DNS server. Here, the top level domain server for .com. The .com TLD DNS server will then instruct the querying DNS server to google.com authoritative DNS server. The google.com DNS server will resolve the IP address for www.google.com. This information will now be cached by both client and requesting server to improve the response time of resolving the query for www.google.com.

Common DNS Record Type

Some of the common record types used in DNS are the A, PTR, MX, CNAME, TXT, NS, and SOA records.

• The A record maps a host and domain name to the IP address, for the forward lookup. 
• The PTR record provides the IP address to host and domain name, for the reverse lookup. 
• The MX record provides the host and domain mapping for mail servers. 
• The CNAME (Canonical Name) record is used as an alias to other A or CNAME records. 
• The NS (Name Server) record is used to tell other DNS servers and clients who the authoritative server is for a particular domain. 
• The record type SOA (Start of Authority) provides information such as the current version of the domain’s records. 
• The TXT (Text) record stores any text string. The most popular use of a TXT record is to store IP address and domains of valid email senders for a particular domain. Also known as the Sender Policy Framework (SPF) record. 

Uncommon DNS Record Type

Uncommon records that may appear are AAAA, AXFR, DNSKEY

• The AAAA record resolves domain names for the 128-bit IPv6 IP address. 
• The AXFR record indicates a zone transfer. DNS zone transfers, are one of the many methods available to administrators to replicate DNS databases across a group of DNS servers.
• The DNSKEY record is for Domain Name System Security Extension (DNSSEC) identification. DNSSEC is the signing of domain names and records to validate their authenticity against any modification by a third party. 

DNS Tunneling

DNS tunneling is often used to bypass hotspot security controls publicly available to access free Internet. DNS as a tunnel can be established while hiding data inside the DNS requests which then can be turned into real data on destination DNS server. A more malicious reason for DNS tunneling is to exfiltrate data from an organization network or even receive commands/updates from a command and control server. DNS tunneling is still a persistent threat because DNS is not monitored and is blindly trusted.

Detect DNS Tunneling

There are various ways to detect DNS tunneling using your SIEM solution.

1. Look into the frequency of DNS requests

Normally, size of DNS requests are less than 512 bytes and hence uses UDP. As we know any payload greater than 512 bytes uses TCP. To go undetected attackers tries to hide their data transfer and will create a DNS requests less than 512 bytes. In this course of action, the frequency of DNS requests coming from a source wanting to transfer organization's critical data (like credit card data, intellectual property, customer data etc.) via DNS will be higher than usual. If HOST X usually does 500 DNS requests per day and unusually does 1500 requests, it needs to be scrutinized.

steps:

1. Create a threshold for number of DNS requests for each hosts

2. Trigger an alert if the number of requests exceeds 2 or 3 times this number

2. Length of DNS requests

Normally, DNS request is not long e.g. gmail.com, drive.google.com etc. Create a rule to trigger when the length of DNS request is greater than certain threshold (like > 50). You can use regular expression to check the length of URL requested (.{50,})

In both of above cases there could be false positive and the threshold could be adjusted to minimize false positive.