cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
alibay
alibay
Level 7
Report Inappropriate Content
Message 1 of 4
‎12-23-2015 05:11 AM

Detecting and Blocking DNS Tunelling with Custom Signatures

DNS (Domain Name System) is the protocol which is composed of hierarchical and dynamic database and it provides us IP addresses, text records, mail exchange information (MX records), name server information (NS records).The Domain name system protocol concepts, facilities, specification and implementation were defined in RFC 882 and RFC 883. These RFCs were made obsolete by RFC 1034 and RFC 1035 and have been updated by multiple RFCs over the time. (i.e. RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035,4343, 4035, 4592, 5936)

Today, I am going to talk about detecting misuse of DNS protocol, is called as DNS tunneling. In most of the companies and topologies users can access local DNS servers which is capable of performing recursive queries to Root Name Servers. With aid of this tunneling method, another protocol can be tunneled through DNS. A DNS tunnel can be used for ‘command and control‘, data exfiltration or tunneling of any IP protocol traffic. Further more, it is easy to bypass payment canceled Internet services that allow DNS requests but not other traffic until payment is made.

There are several DNS tunneling tools using different record types and encoding methods. Some of them are Iodine, OzymanDNS, dns2tcp and so on.

On lab enviroment, I try to analyze  the tool IODINE (Ip Over DNS Is Now Easy ), that has ability to detect the best possible query type and encoding methods.  And, I realize that Intel Security product McAfee NSM with default signature set can not even detect the misuse. To prevent this violation, I wrote some custom signatures based on my observations.

  • Firstly, It can be verified from the help  that Iodine can use seven different queries and four different encoding types.

idoine_help.png

Picture1 – Iodine Help Section 

To analyze the behaviour of Iodine, I investigated every query type one by one.

  • In this document, I am going to analyze only Null type queries. Null type is not common DNS traffic and is indicative of DNS tunneling. Specifying a treshold could help us to block it.

NULL-Type.jpg

Picture2 – Packet Capture of Iodine NULL Queries

  • The custom signatures I wrote means that;
    • Start looking for  the pattern “01 00”  after 2 bytes  and  within 4 bytes depth of the payload . This pattern points the packet that contains recursive query.
    • And, start looking for  the pattern “00 00 0a 00 01”  after 12 bytes and within 255 bytes depth of the payload . This pattern points the packet that contains NULL type query.
    • If two conditions occur 10 times in 5 seconds from the same source IP, generate an alert.

Signature to detect Null type DNS Tunnelling

You can find the signatures below for other types of DNS queries. But, it is very important to specify count and time variables with respect to your DNS traffic volume.

 

Signature to detect TXT type DNS Tunnelling

Signature to detect CNAME type DNS Tunnelling

Signature to detect SRV type DNSTunnelling

Signature to detect MX type DNSTunnelling

Real_time.jpg

Picture3 – Real Time Alert Outputs of McAfee Network Security Manager

Finally, On McAfee NSM you are going to see the following alerts.

In default, Snort signatures are going to be disabled. You should enable blocking on the signatures after specifiying tresholds.

Best Regards.

0 Kudos
Reply
3 Replies
streamer
streamer
Level 9
Report Inappropriate Content
Message 2 of 4
‎12-23-2015 06:45 AM

Re: Detecting and Blocking DNS Tunelling with Custom Signatures

Great article thanks for sharing

0 Kudos
Reply
ahmed-sabanaa
ahmed-sabanaa
Level 2
Report Inappropriate Content
Message 3 of 4
‎07-02-2017 01:43 AM

Re: Detecting and Blocking DNS Tunelling with Custom Signatures

Dears ,

unfortunately , I think the rules is not valid 100% , I have created the rules to detect traffic passing through our sensors ,but almost the most of the traffic hitting the rules , please advice and provide us with you experiments ?

SA
0 Kudos
Reply
alibay
alibay
Level 7
Report Inappropriate Content
Message 4 of 4
‎09-21-2017 07:31 AM

Re: Detecting and Blocking DNS Tunelling with Custom Signatures

Hi,

It is pretty low count and seconds values written in the sample signatures.

You need to adjust your  "count" and "seconds" parameters with respect to your daily dns traffic volume (Y)

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC