This application relates to the detection of covert DNS tunnels.
In recent years, hackers have increasingly utilized the Domain Name System (DNS) network protocol as a medium for a covert channel. Communications that would otherwise be disallowed by network firewalls or other security monitoring systems may be able to readily pass through a network undetected as a DNS communication. Further, the DNS protocol has significant room for user-defined data and supplementary text fields which may be utilized by a hacker to transmit covert information. Additionally, DNS servers are decentralized, making it easy to set up a DNS server that will function as the receiving end of covert DNS tunnels.
Some current systems have resorted to computationally intensive algorithms and machine learning techniques to attempt to uncover these covert DNS tunnels with limited success. Other systems have relied on visualization techniques to uncover covert DNS tunnels; however, these implementations require significant human input and analysis.