DNS Tunneling 1 What is DNS Domain Name

DNS Tunneling

1 What is DNS?

Domain Name System The Domain Name System (DNS) is used to resolve human-readable hostnames into machine-readable IP addresses.

2 How does DNS Works?

How Does DNS Works? When you visit a domain such as ”facebook. com”, your computer follows a series of steps to turn the human-readable web address into a machine-readable IP address.

Request to a local DNS server

From local DNS to a root DNS server

From root DNS to a TLD DNS server

From TLD to Authoritative DNS server

DNS has a POWERFUL Passport!

3 The Concept of DNS Tunneling

DNS Tunneling Ø DNS tunneling is the ability to tunnel another protocol through DNS. Ø DNS tunneling can be used for: • Command Control. • Data exfiltration. • Tunneling any IP traffic.

Tunnel Components Ø A controlled domain or subdomain. Ø A sever where to install DNS tunneling software. Ø A client side component. Ø Data encoded in DNS payload. Some of the encoding techniques: • Base 32 Encoding. • Base 64 Encoding.

Request to a local DNS server The PC encodes the message in a DNS payload.

From local DNS to a root DNS server

From root DNS to a TLD DNS server

From TLD to Authoritative DNS server The authoritative DNS decodes the message and send the actual request to the internet.

From Authoritative DNS server to the Internet

From Authoritative DNS server to the DNS Client The authoritative DNS encodes the message and sends it as DNS reply.

Decodes the Message The PC decodes the message That is inside the DNS reply.

4 Detecting DNS Tunneling

Frequency of DNS Requests

5 Existing DNS Tunneling Tools

DNS Tunneling Tools Ø Slow. DNS. Ø Iodine. Ø Ozyman. DNS. Ø Heyoka. Ø DNScat (DNScat-B).

Demo using Slow. DNS An application that tunnels your data over DNS Tunnel. Android App on Google Play.

Any Questions?