Magic Tunnel, Element53, VPN-over-DNS (Android). ... 1.5.1. Payload analysis. .... (2012) element53 is a ready to use DNS-tunnel for android. It creates a ...
Strathmore University Safaricom Academy
Title: DNS TUNNELING MTI 8502 - Network Security
Presented by: Derrick Rono Date: 14/05/2015
Abstract Our internet exists because of the DNS technology, any exploitation or error that occurs can bring down the internet for several days or months or in a specific region. Such cases have happened in the past causing global outages. DNS was not initially created to allow execution of commands or tunneling. However with time several utilities have been developed to enable tunneling which uses DNS tunnels to allow the transmission of arbitrary data using the DNS infrastructure. Over the past years DNS has received less attention in term of security because it was not intended for general data transfer. This therefore has made DNS attacks pose serious security risks to organizations. This paper will review the principles behind the working of DNS tunneling and some of the utilities that can be used to support it and I will also discuss ways of preventing such attacks using payload analysis and traffic analysis techniques.
Table of Contents MTI 8502 - Network Security.......................................................................................................... 0 Abstract ......................................................................................................................................................... 1 1.
Introduction ........................................................................................................................................... 3 1.2
. Overview of DNS. ..................................................................................................................... 3
1.3
DNS Tunneling ............................................................................................................................. 4
1.4
Tools used for DNS tunneling. ..................................................................................................... 5
1.4.1
OzymanDNS ......................................................................................................................... 5
1.4.2
Dns2tcp. ................................................................................................................................ 5
1.4.3
Iodine. ................................................................................................................................... 5
1.4.4
Magic Tunnel, Element53, VPN-over-DNS (Android). ....................................................... 5
1.5
Detecting DNS Tunneling............................................................................................................. 6
1.5.1
Payload analysis. ................................................................................................................... 6
1.5.2
Traffic analysis...................................................................................................................... 6
1.6
Ways of Preventing DNS Tunneling. ........................................................................................... 6
Conclusion .................................................................................................................................................... 6 References ..................................................................................................................................................... 7
1. Introduction During our daily search for information we use the internet to perform this operations. Web browsers and email uses the Doman Name System (DNS), which allows applications to use names to represent IP addresses for example strathmore.edu. According to Bojan, Nevil and Duane (2007) the internet protocol does not need DNS for it to operate. However the user's need to distinguish machines by their name requires the DNS protocol to resolve names and IP addresses. DNS is not intended for data transfer, but people can tamper with it to perform malicious communications or mine data from clients (Greg Farnham, 2012). Most organizations have neglected DNS as a low threat and therefore they do not perform monitoring but focus on the high threat traffic like the email and web. The fact that DNS is not centrally controlled makes it prone to attacks or misuse from outside the organization. It also allows attackers to be able to trade domain names or even shift domain name records quickly to avoid blocking by admins. Alternatively attackers can use vulnerabilities that exist on the client's side security which is normally not stringent on DNS traffic, even in tightly controlled organizational networks (Bojan, Nevil, &, Duane 2007). Accordingly the publication states that organizations have implemented strict firewall policies but it is not enough since DNS traffic is usually unrestricted because of its utilization by many protocols. Attackers have taken advantage of this limitation to not only send data over DNS but also set up rogue DNS servers which give them control over the victim's internet behaviour. According to Ryan W. Neal (2013) reports that Google Kenya was hacked were termed false and a report showed that a Bangladeshi hacker had infiltrated a DNS server In Kenya and redirected users to an alternative website. There are several tools which can be used to perform highly sophisticated attacks or exploitations in the DNS protocol. Greg Farnham claims that the variety of tools that exist in the market serve various needs, spanning from intrusive attacks, getting free internet from Wi-Fi hotspots that have captive portals, running remote operating system commands, file transfer or even full IP tunnels (Detecting DNS Tunneling, 2012). There are two key techniques DNS tunneling and DNS signaling used to do DNS manipulation. In this paper we are going to discuss DNS Tunneling.
1.2 . Overview of DNS. DNS is a short name for Domain name system. According to Wikipedia, Domain name system is a distributed naming system for computers, devices and or any resource which is connected to the internet. It translates human readable domain names into IP address which link to computers around the world. The main features and requirements of DNS are scalability and availability. To achieve this DNS name space is zoned according to the region or organizations. And each organization has one authoritative zone in the DNS hierarchy. Full qualified domain name (FQDN) is used to represent the complete domain name for a node. The FQDN defines the complete path for a domain name starting on the leaf to the root of the tree. Each node is represented by a label which identifies its zone (Kenton & Dr. David, 2010). DNS traffic communicates using UDP or TCP on port 53. But most of its communication happen on UDP which is used by most of the resolvers. Originally TCP was only used for zone transfers but was expanded to support transfer of data when the request was much bigger than 512 octets (Bojan, Nevil, &, Duane 2007). The database that makes up the domain space is stored in multiple name servers. The different part of the domain space are stored in different name servers, however a copy of a data item will be replicated across two or more name servers. During the resolution process the resolver starts by checking the received client query, then it asks the available name servers for information. The resolvers either give the client information or a referral to another name server. Using this referrals, resolvers develop intelligent databases with information about other name servers (Domain Implementation and specification, 1987).Accordingly the specification goes on to define the type of data name servers can read. The first type is the set of zones of the domain space. The data is referred to as Authoritative which is checked periodically to ensure that its zones are up to date, and if not it fetches a copy of the updated info. The other type is cached data which is acquired by a local resolver. This increases performance
during retrieval process when local data is accessed severally. Figure 1.0 below describes the process of resolving a domain name.
Figure 1 (David, C. 2012)
1.3 DNS Tunneling DNS tunneling allows other protocols to be tunneled through DNS. According to Beauregard (2013) DNS tunneling is a technique that allows attackers to encode the data of other programs or protocols in DNS queries and responses. And this has been of concern since the late 1990s. Although the original intention of DNS tunneling was to bypass captive portals in Wi-Fi hotspots, with time the use has expanded and created more risks to organizations. The most basic level of tunneling would require a client to be compromised either through malware, phishing or social engineering. However the client do not necessarily need access to the internet to be compromised. The client will just need access to an internal DNS server with external access which will be forwarding requests and receiving request (DNS Tunneling: Is it a security threat? , 2013). Accordingly an attacker must own a domain and a server which will act as an authoritative server for that domain to facilitate server –side tunneling and decoding programs. On a normal scenario DNS tunneling occurs over a tunnel with data encapsulated within queries and replies using base32 and base64 encoding. The DNS domain name look up system is then used to send bidirectional data request. So for any typical and successful domain name lookups on a network, you can tunnel any kind of data you want to a remote system (Fruz, 2014).
Figure 2( (Fruz, 2014)
According to Fruz (2014) the above scenario User A and User B sits behind a corporate firewall D. The firewall policies prevents all traffic except for those coming via port 53. But user A and user B can access the internet by exploiting DNS traffic via tunneling. Since the DNS server on the left has caching capabilities, user A will try to access any websites that are in the cache but the request will not go to the iterative server. So when a new request is invoked by user A the DNS will not find it’s A record in the DNS server thus it will send it to an outside DNS server.
1.4 Tools used for DNS tunneling. 1.4.1
OzymanDNS
According to Plenz (2006) OzymanDNS client is a Perl script which encodes and transfers everything on STDIN to its destination via a DNS requests then replies are written to STDOUT. So it cannot work as a standalone program but will be used with SSH to tunnel traffic.
1.4.2
Dns2tcp.
Dns2tcp was written by Olivier Dembour and Nicolas Collignon. It is written in C and runs on Linux. The client can run on Windows. It supports KEY and TXT request types (Dembour, 2008).
1.4.3
Iodine.
Iodine is a DNS tunneling program first released in 2006 with updates as recently as 2010. It was developed by Bjorn Andersson and Erik Ekman. Iodine is written in C and it runs on Linux, Mac OS X, Windows and others. Iodine has been ported to Android. It uses a tun or tap interface on the endpoint (Andersson, 2010).
1.4.4
Magic Tunnel, Element53, VPN-over-DNS (Android).
These are clients that facilitate tunneling over DNS in smart phones. According to Marcel (2012) element53 is a ready to use DNS-tunnel for android. It creates a TCP-tunnel to a SOCKS proxy server.
1.5 Detecting DNS Tunneling. According to Farnham (2013) there are two techniques used to detect DNS tunneling, payload analysis and traffic analysis.
1.5.1
Payload analysis.
Payload analysis is a technique that is used to analyze the content of DNS query or response in order to detect anomalies. Various research have come up with ways of analyzing the content of a DNS query, it is based on analyzing various aspects and behaviors exhibited by the protocol. According to Fruz (2014) identifying DNS anomalies involves checking the length of characters in a DNS request and response. Often the length of a normal request should not be more than 64 characters. So it’s likely that tunneled traffic will have more than 64 characters.
1.5.2
Traffic analysis
This technique majorly involves analyzing the traffic going to a certain domain in order to detect anomalies which might contain potential DNS tunneling requests. Accordingly tools like DNStrap help in detecting tunneling by using artificial neural networks. The tool uses 5 attributes to train the artificial neural network to detect tunneling. These attributes includes the domain name, the number of packets send to a certain domain, the average length of packets sent, the average number of distinct characters in the Low Level Discovery and the distance between the Low Level Discovery.
1.6 Ways of Preventing DNS Tunneling. Currently the best way of identifying DNS tunneling is through statistical anomaly detection on the network. For instance if you are running a premium Wi-Fi hotspot you should ensure that the server answers to all local queries until a payment has been made, thereafter the client can access internet via DNS lookup. Also you can prevent it by ensuring that requests to any other domains or zones are not handled recursively (Finux, 2011). Also preventing queries for TXT records is most likely to prevent DNS tunneling and does not bring complications to the system. According to Miller (2005) snort signatures can be created to alert when large number of TXT DNS requests occurs over a short period of time and also give alerts on multiple large DNS requests, or large number of DNS requests going to a single domain. He also suggests that organizations should implement split DNS. This is where the client side systems cannot be able to resolve external domains and instead web proxies are used resolve external domains for web browsing. This is because it prevents external DNS requests from exiting the internal network.
Conclusion DNS Tunneling happens to be one of the best covert channels that was ever designed. It is a very challenging task to stop this traffic, because there is no specific indication that it concerns IP over DNS tunneling. But various solutions have been developed to mitigate risk/threats arising from DNS tunneling. According to the nature of DNS Tunneling attackers can exploit some of its weaknesses to allow free internet access on mobile phones. So if organizations will not take necessary measures to prevent this from happening they are going to suffer loses and attacks with high risk potential.
References Beauregard, C. (2013, October 28). DNS Tunneling: Is it a security threat? Retrieved from Neustar: https://www.neustar.biz/blog/dns-tunneling-security-threat Farnham, G. (2013). Detecting DNS Tunneling. Retrieved from Sans: http://www.sans.org/readingroom/whitepapers/dns/detecting-dns-tunneling-34152 Finux, A. (2011, April 27). Dns tunneling its all in the name. Retrieved from Slideshare: www.slideshare.net/bsideslondon/dns-tunneling-its-all-in-the-name Fruz, A. (2014, March 25). DNS Tunneling. Retrieved from INFOSEC INSTITUTE: http://resources.infosecinstitute.com/dns-tunneling Marcel. (2012, 06 06). Android DNS tunnel: Element53. Retrieved from Marcel's weblog: http://blog.bokhorst.biz/7681/computers-and-internet/android-dns-tunnel-element53 Miller, T. (2005). Reverse DNS Tunneling Staged Loading Shellcode. Retrieved from Blackhat: www.blackhat.com/presentations/bh-usa08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode.pdf Mockapertris, P. (n.d.). Domain Names - Implementation and Specification. Retrieved from IETF: https://www.ietf.org/rfc/rfc1035.txt Plenz, J. (2006). DNStunnel.de. Retrieved from DNStunnel.de: http://dnstunnel.de
