Deep understanding of DNS tunnel communication in practical scenarios

Preface

Recently, we conducted an in-depth analysis of the use of Domain Name System (DNS) tunneling technology in the wild and how it is used. Attackers can use DNS tunneling technology to bypass various security policies in the organizational network environment, because most organizations have relatively lax management policies for DNS traffic. Previous research has also shown that malware activities such as SUNBURST and OilRig use DNS tunneling technology to achieve remote command and control (C2).

However, there are still many details unknown about how attackers use DNS tunneling in the wild. For example, do they use DNS tunneling only for C2? How do they implement and host these technologies? Can we monitor malicious activities by capturing and monitoring DNS tunneling traffic?

In this post, we will provide a detailed analysis and introduction to multiple aspects of DNS tunneling techniques that attackers use in the wild.

DNS Tunneling Basics

What is DNS Tunneling?

DNS tunneling is a technique that encodes data for non-DNS programs and protocols in DNS queries and responses. This allows various types of traffic to be forwarded over the DNS protocol, including file transfers, C2, and web traffic.

Why perform DNS tunneling

DNS usually uses UDP port 53, which is usually opened on clients, systems, servers, and firewalls to support the transmission of DNS queries. DNS is a fundamental component of the Internet, providing services for many applications, from web browsing and email services to host automatic discovery, load balancing, security review and monitoring services, etc. DNS is required.

Due to its critical nature, most organizations have relatively lax security management policies for DNS traffic, which has led many attackers to choose to exploit the DNS protocol to tunnel C2 communication traffic and retrieve malware payloads.

Many malware campaigns, such as SUNBURST, OilRig, xHunt, and DarkHydrus, use DNS tunneling. The permissive policy of DNS traffic allows attackers to access the Internet, while a large amount of benign DNS traffic becomes a natural disguise for attackers to hide their tracks.

How to perform DNS tunneling

There are two main components required to perform DNS tunneling: a client and a server. The client sends DNS packets to the internet, encodes the content with a DNS query, and decodes the content from the DNS response. The server receives DNS queries from recursive resolvers, decodes the content from the DNS query, and encodes the content into a DNS response.

The following figure shows the execution process of DNS tunnel:

In the above diagram, the client first encodes the sensitive data value as a subdomain $secret and sends it as a DNS query request to $secret.badsite[.]com. Next, the resolver iteratively queries the name servers at different domain levels until a valid response is received. Similarly, the server component (name server) can also encode the malicious payload as a subdomain $payload and send a DNS response (CNAME $payload.bs[.]com) to $secret.badsite[.]com.

Instead of sending the raw data, we usually encode and fragment the data using a coding algorithm. In fact, anyone can come up with an algorithm to achieve data fragmentation.

There are also many readily available open source DNS tunneling tools, such as iodine, DNSStager, dnscat2, sliver, and Cobalt Strike , etc. These tools support encoding common messages into subdomains of DNS queries and various types of DNS responses, such as A (IPv4 address), AAAA (IPv6 address), TXT, CNAME, and MX.

Applying DNS tunneling to C2

C2 is the most common application scenario of DNS tunneling technology. The same activity can share some characteristics, such as using the domain name server used for communication as C2, or using common tunneling tools to implement encoding and decoding.

The first example is a campaign targeting an organization in the financial sector, where we observed communications between 22 tunnel domains and the same target user.

These domains shared seven name server IPs and used the same underlying encoding tools. The attackers even applied for seemingly identical security/cloud provider domains in an attempt to evade detection.

These domains include:

panos[.]ltd

ciscocloud[.]space

ubrella[.]online

msft[.]center

mscd[.]store

awsl[.]site

We have listed these domains with their example queries, nameserver domains, and nameserver IPs in the table below:

Our second example is an activity targeting another financial industry customer. We found that three tunnel domains all pointed to the same customer and used the same underlying tunneling tool - Cobalt Strike. Representative characteristics of Cobalt Strike include the use of common prefixes such as www, post, and api.

The three domains are identity-mgmt[.]com, internalsupport[.]info, and cloud-enrollment[.]com. Below are the corresponding query samples, name servers, and IP addresses:

Summarize

Nowadays, more and more cyber gangs are applying DNS tunnel communication technology to various places, including C2 servers and VPN services, etc. Therefore, as a security defense personnel, it is very important to understand the use of DNS tunnel technology in the wild. Only by understanding the underlying tools and related activities of DNS tunnel communication can we achieve fine-grained analysis and thus achieve rapid response to security incidents.

Intrusion threat indicators IoC

domain name

panos[.]ltd

ciscocloud[.]space

ubrella[.]online

mscd[.]store

awsl[.]site

msft[.]center

cloud-enrollment[.]com

identity-mgmt[.]com

internalsupport[.]info

claudfront[.]net

allowlisted[.]net

hsdps[.]cc

rcsmf100[.]net

hammercdntech[.]com

IP address

34.92.43[.]140

35.194.255[.]111

34.81.65[.]4

3.238.113[.]212

3.238.244[.]129

5.252.176[.]63

83.166.240[.]52

5.252.176[.]22

194.31.55[.]85

65.20.73[.]176

Other References

https://unit42.paloaltonetworks.com/tag/dns-tunneling/

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/

https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

https://www.bamsoftware.com/software/dnstt/

https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/

https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

References

https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild/

Author of this article: FreddyLu666, please indicate that it is from FreeBuf.COM when reprinting