3 Replies Latest reply on Sep 21, 2017 9:31 AM by alibay

    Detecting and Blocking DNS Tunelling with Custom Signatures

    alibay

      DNS (Domain Name System) is the protocol which is composed of hierarchical and dynamic database and it provides us IP addresses, text records, mail exchange information (MX records), name server information (NS records).The Domain name system protocol concepts, facilities, specification and implementation were defined in RFC 882 and RFC 883. These RFCs were made obsolete by RFC 1034 and RFC 1035 and have been updated by multiple RFCs over the time. (i.e. RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035,4343, 4035, 4592, 5936)

       

      Today, I am going to talk about detecting misuse of DNS protocol, is called as DNS tunneling. In most of the companies and topologies users can access local DNS servers which is capable of performing recursive queries to Root Name Servers. With aid of this tunneling method, another protocol can be tunneled through DNS. A DNS tunnel can be used for ‘command and control‘, data exfiltration or tunneling of any IP protocol traffic. Further more, it is easy to bypass payment canceled Internet services that allow DNS requests but not other traffic until payment is made.

       

       

      There are several DNS tunneling tools using different record types and encoding methods. Some of them are Iodine, OzymanDNS, dns2tcp and so on.

       

      On lab enviroment, I try to analyze  the tool IODINE (Ip Over DNS Is Now Easy ), that has ability to detect the best possible query type and encoding methods.  And, I realize that Intel Security product McAfee NSM with default signature set can not even detect the misuse. To prevent this violation, I wrote some custom signatures based on my observations.

      • Firstly, It can be verified from the help  that Iodine can use seven different queries and four different encoding types.

      idoine_help.png

      Picture1 – Iodine Help Section 

       

      To analyze the behaviour of Iodine, I investigated every query type one by one.

      • In this document, I am going to analyze only Null type queries. Null type is not common DNS traffic and is indicative of DNS tunneling. Specifying a treshold could help us to block it.

      NULL-Type.jpg

      Picture2 – Packet Capture of Iodine NULL Queries

       

      • The custom signatures I wrote means that;
        • Start looking for  the pattern “01 00”  after 2 bytes  and  within 4 bytes depth of the payload . This pattern points the packet that contains recursive query.
        • And, start looking for  the pattern “00 00 0a 00 01”  after 12 bytes and within 255 bytes depth of the payload . This pattern points the packet that contains NULL type query.
        • If two conditions occur 10 times in 5 seconds from the same source IP, generate an alert.
      Signature to detect Null type DNS Tunnelling

       

       

      You can find the signatures below for other types of DNS queries. But, it is very important to specify count and time variables with respect to your DNS traffic volume.

       

      Signature to detect TXT type DNS Tunnelling

       

       

      Signature to detect CNAME type DNS Tunnelling

       

       

      Signature to detect SRV type DNSTunnelling

       

       

      Signature to detect MX type DNSTunnelling

       

       

      Real_time.jpg

      Picture3 – Real Time Alert Outputs of McAfee Network Security Manager

       

      Finally, On McAfee NSM you are going to see the following alerts.

       

      In default, Snort signatures are going to be disabled. You should enable blocking on the signatures after specifiying tresholds.

       

      Best Regards.