DNS (Domain Name System) is the protocol which is composed of hierarchical and dynamic database and it provides us IP addresses, text records, mail exchange information (MX records), name server information (NS records).The Domain name system protocol concepts, facilities, specification and implementation were defined in RFC 882 and RFC 883. These RFCs were made obsolete by RFC 1034 and RFC 1035 and have been updated by multiple RFCs over the time. (i.e. RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035,4343, 4035, 4592, 5936)
Today, I am going to talk about detecting misuse of DNS protocol, is called as DNS tunneling. In most of the companies and topologies users can access local DNS servers which is capable of performing recursive queries to Root Name Servers. With aid of this tunneling method, another protocol can be tunneled through DNS. A DNS tunnel can be used for ‘command and control‘, data exfiltration or tunneling of any IP protocol traffic. Further more, it is easy to bypass payment canceled Internet services that allow DNS requests but not other traffic until payment is made.
There are several DNS tunneling tools using different record types and encoding methods. Some of them are Iodine, OzymanDNS, dns2tcp and so on.
On lab enviroment, I try to analyze the tool IODINE (Ip Over DNS Is Now Easy ), that has ability to detect the best possible query type and encoding methods. And, I realize that Intel Security product McAfee NSM with default signature set can not even detect the misuse. To prevent this violation, I wrote some custom signatures based on my observations.
Picture1 – Iodine Help Section
To analyze the behaviour of Iodine, I investigated every query type one by one.
Picture2 – Packet Capture of Iodine NULL Queries
You can find the signatures below for other types of DNS queries. But, it is very important to specify count and time variables with respect to your DNS traffic volume.
Picture3 – Real Time Alert Outputs of McAfee Network Security Manager
Finally, On McAfee NSM you are going to see the following alerts.
In default, Snort signatures are going to be disabled. You should enable blocking on the signatures after specifiying tresholds.
unfortunately , I think the rules is not valid 100% , I have created the rules to detect traffic passing through our sensors ,but almost the most of the traffic hitting the rules , please advice and provide us with you experiments ?
It is pretty low count and seconds values written in the sample signatures.
You need to adjust your "count" and "seconds" parameters with respect to your daily dns traffic volume (Y)