The Domain Name System (DNS) is a hierarchical distributed naming system for devices connected to the Internet or a private network. The DNS translates easily memorized domain names to the numerical IP addresses needed to locate devices. For example, the domain name www.example.com translates to the addresses 93.184.216.119 (IPv4) and 2606:2800:220:6d:26bf:1447:1079:aa7 (IPv6).
A domain name comprises one or more parts, called labels, which are concatenated and delimited by dots. For the domain www.example.com, the right-most label expresses the top-level domain; in this case the top-level domain is “com”. The hierarchy moves from right to left. Each label to the left specifies a subdomain of the domain to the right. Relying upon the same example, the label “example” is a subdomain of the “com” domain, while “www” is a subdomain of “examples.com”. Subdomains may have up to 127 levels.
The DNS may be used for nefarious purposes. Consider network 100. An attack machine 101 operates as a command and control center for an exploit. In particular, the attack machine 101 uses network 102 to access a set of compromised machines 104_1, 104_2 through 104_N. Machine 104_N resides in a local network infrastructure 106 (e.g., an Internet Service Provider or ISP). An open resolver 107 and name server 108 also reside in the network 106. Network 106 is connected to another network 110, which is coupled to a target name server 112, which is an authoritative name server. The authoritative name server 112 is responsible for supported domains. The authoritative name server 112 may delegate authority over subdomains to other name servers, such as recursive name server 108.
Attack machine 101 and/or one or more of the compromised machines 104 may form a DNS tunnel. That is, DNS protocols are used to tunnel to other protocols, such as the Hypertext Transport Protocol (HTTP) or the Secure Socket Layer (SSL) protocol. The same machines may be used for data exfiltration, which is data leakage, such as file transfers using DNS. These are common techniques to get around paid WiFi hotspots or to gain access to resources bypassing other methods of network protection. The DNS is a convenient protocol for doing this since the design of the DNS requires that a DNS resolver infrastructure attempt to find information about a given domain by contacting the Authoritative server on the Internet, if the result isn't already cached locally. This means that DNS requests can be crafted in such a way as to force cache misses that result in a connection to a specific server.
DNS tunneling and exfiltration techniques take advantage of these architectural constructs by crafting unique subdomains and resource record (RR) responses. DNS tunneling systems typically encode the outgoing payload as an encoded (e.g., base 32) subdomain sent to a tunneling server that is masquerading as an Authoritative server. The response from the server is typically encoded (e.g., base 32) into the RR. Typically TXT or CNAME records are used to carry the payload back to the client and session data is packed into the payload. Other records may also be exploited. There are a number of available client/server systems available for DNS tunneling that facilitate this functionality.
Similarly, data exfiltration packs the payload into an encoded subdomain. In contrast to tunneling, the response is typically very small and used to maintain session or receipt notification. Since the DNS uses the User Datagram Protocol (UDP) it can be lossy; the response typically indicates success receiving the last packet of data.
Data infiltration can be achieved using similar techniques where the payload is encoded in an RR response and the response in the subdomain is merely session data.
In view of the foregoing, it would be desirable to establish techniques for identifying DNS tunneling, exfiltration and infiltration.