Showing results for 
Search instead for 
Did you mean: 
Level 7

Detecting and Blocking DNS Tunelling with Custom Signatures

DNS (Domain Name System) is the protocol which is composed of hierarchical and dynamic database and it provides us IP addresses, text records, mail exchange information (MX records), name server information (NS records).The Domain name system protocol concepts, facilities, specification and implementation were defined in RFC 882 and RFC 883. These RFCs were made obsolete by RFC 1034 and RFC 1035 and have been updated by multiple RFCs over the time. (i.e. RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035,4343, 4035, 4592, 5936)

Today, I am going to talk about detecting misuse of DNS protocol, is called as DNS tunneling. In most of the companies and topologies users can access local DNS servers which is capable of performing recursive queries to Root Name Servers. With aid of this tunneling method, another protocol can be tunneled through DNS. A DNS tunnel can be used for ‘command and control‘, data exfiltration or tunneling of any IP protocol traffic. Further more, it is easy to bypass payment canceled Internet services that allow DNS requests but not other traffic until payment is made.

There are several DNS tunneling tools using different record types and encoding methods. Some of them are Iodine, OzymanDNS, dns2tcp and so on.

On lab enviroment, I try to analyze  the tool IODINE (Ip Over DNS Is Now Easy ), that has ability to detect the best possible query type and encoding methods.  And, I realize that Intel Security product McAfee NSM with default signature set can not even detect the misuse. To prevent this violation, I wrote some custom signatures based on my observations.

  • Firstly, It can be verified from the help  that Iodine can use seven different queries and four different encoding types.


Picture1 – Iodine Help Section 

To analyze the behaviour of Iodine, I investigated every query type one by one.

  • In this document, I am going to analyze only Null type queries. Null type is not common DNS traffic and is indicative of DNS tunneling. Specifying a treshold could help us to block it.


Picture2 – Packet Capture of Iodine NULL Queries

  • The custom signatures I wrote means that;
    • Start looking for  the pattern “01 00”  after 2 bytes  and  within 4 bytes depth of the payload . This pattern points the packet that contains recursive query.
    • And, start looking for  the pattern “00 00 0a 00 01”  after 12 bytes and within 255 bytes depth of the payload . This pattern points the packet that contains NULL type query.
    • If two conditions occur 10 times in 5 seconds from the same source IP, generate an alert.
Signature to detect Null type DNS Tunnelling

You can find the signatures below for other types of DNS queries. But, it is very important to specify count and time variables with respect to your DNS traffic volume.


Signature to detect TXT type DNS Tunnelling

Signature to detect CNAME type DNS Tunnelling

Signature to detect SRV type DNSTunnelling

Signature to detect MX type DNSTunnelling


Picture3 – Real Time Alert Outputs of McAfee Network Security Manager

Finally, On McAfee NSM you are going to see the following alerts.

In default, Snort signatures are going to be disabled. You should enable blocking on the signatures after specifiying tresholds.

Best Regards.

0 Kudos
3 Replies
Level 9

Re: Detecting and Blocking DNS Tunelling with Custom Signatures

Great article thanks for sharing

0 Kudos

Re: Detecting and Blocking DNS Tunelling with Custom Signatures

Dears ,

unfortunately , I think the rules is not valid 100% , I have created the rules to detect traffic passing through our sensors ,but almost the most of the traffic hitting the rules , please advice and provide us with you experiments ?

0 Kudos
Level 7

Re: Detecting and Blocking DNS Tunelling with Custom Signatures


It is pretty low count and seconds values written in the sample signatures.

You need to adjust your  "count" and "seconds" parameters with respect to your daily dns traffic volume (Y)

0 Kudos