Transcript How DNS tunneling works (1)

DNS Tunneling
Mihir Nanavati & Long Zhang
{mihirn, zhlong73}@cs.ubc.ca
April 19th 2010
Abstract
D NS tunnels are network covert channels
that allow the transmission of arbitrary data
using the DNS infrastructure. Users can use
such tunnels to hide their communication
sessions in order to bypass local security and
accounting policies.
What is DNS
 The Domain Name System (DNS) is a
hierarchical naming system.
 It makes it possible to assign domain
names to groups of Internet users in a
meaningful way. (URL vs IP address)
Authoritative name servers is responsible
for each sub domain.
Structure of DNS records
Domain_name Time_to_live Class Type Value
Example:
cs.mit.edu 86400 IN CNAME lcs.mit.edu
sub.example.com IN NS ns.anothernameserver.com
ns.anothernameserver.com IN A 192.0.34.166
TYPE:
SOA, A, MX, NS, CNAME, PTR, HINFO, TXT
Records we care about - A, NS, CNAME.
How DNS tunneling works (1)
How DNS tunneling works (2)
• Tunnel all outgoing traffic through DNS.
• For DNS side, delegate all requests to a
certain subdomain to another nameserver.
– People want to look up your IP, get to your ISP's
nameserver and will be redirected to your own
nameserver which can then answer the request.
– Something like:
• Sub.example.com. In NS ns.mynameserver.com
• Ns.mynameserver.com IN A 192.0.34.166 or
• Ns.mynameserver.com IN CNAME
dnstunneling.chickenkiller.com
How DNS tunneling works (3)
• The fake name server:
– Parse the DNS queries, reconstruct and
send the HTTP Requests, and encapsulate
the HTTP Response into DNS packages to
send the response back to the client.
• The client inside the local network:
– Send DNS requests to local DNS server/
ISP’s DNS server.
Problems
• DNS Packet Sizes
– DNS Responses often limited to 512 bytes,
significantly smaller than the size of HTTP
responses.
• Solution
– Fragment the packets and build a
fragmentation and reassembly protocol on
top of the DNS packets in the client and
the server
Demo Time
• Proof of Concept:
– A client, server architecture for internet
access.
– Client sends HTTP Requests to a proxy
server which encapsulates them into DNS
queries
– Forwarded to name server, which
encapsulates HTTP Response in a DNS
packet
• Some attempts on real DNS Tunneling
Future Work
• Bypass ubc (UBC’s unsecured network)
using DNS tunneling to obtain Internet
access without CWL credentials.
• Potential Issues
– Network may be set up to drop multiple
responses to a single DNS query
– Local DNS server may be set up to not
forward queries beyond its local cache
References
• http://www.dnstunnel.de/
• http://www.daemon.be/maarten/dnstun
nel.html
• T.V. Leijenhorst, etc, “On the Viability
and Performance of DNS Tunneling”
• D. Kaminsky, “Black Ops of DNS The
Black Hat Briefings 2004 ”
Thanks!
Questions?