In-depth understanding of DNS tunnel communication in practical scenarios

2023.11.14

In-depth understanding of DNS tunnel communication in practical scenarios

Now, more and more network gangs are applying DNS tunnel communication technology to various places, including C2 servers and VPN services. Therefore, as a security defense personnel, it is very important to understand the utilization of DNS tunnel technology in the wild. Only by understanding the underlying tools and related activities of DNS tunnel communication can we achieve fine-grained analysis and achieve rapid response to security incidents. .

words written in front

Recently, we conducted an in-depth analysis of the use and usage of Domain Name System DNS tunneling technology in the wild. Attackers can use DNS tunneling technology to bypass various security policies in an organization's network environment, because most organizations have relatively loose management policies for DNS traffic. Previous research has also shown that malware campaigns such as SUNBURST and OilRig utilize DNS tunneling technology to achieve remote command and control (C2).

However, we still don’t know many details about how attackers use DNS tunneling technology in the wild. For example, are they using DNS tunneling just for C2? How do they implement and host these technologies? Can we monitor malicious activity by capturing and monitoring DNS tunnel traffic?

In this article, we will conduct a detailed analysis and introduction to the multiple aspects of DNS tunnel communication technology used by attackers in the wild.

DNS tunnel basics

What is a DNS tunnel

DNS tunneling is a technology that encodes data for non-DNS programs and protocols in DNS queries and responses. This allows various types of communication traffic to be forwarded through the DNS protocol, including file transfers, C2, and web traffic. wait.

Why perform DNS tunneling

DNS typically uses UDP port 53, which is typically open on clients, systems, servers, and firewalls to support the transmission of DNS queries. DNS is a basic component of the Internet. It provides services for many applications, from web browsing and email services to host automatic discovery, load balancing, security review and monitoring services, etc., all of which require the use of DNS.

Due to its criticality, most organizations have relatively loose security management policies for DNS traffic, which has led many attackers to choose to utilize the DNS protocol to tunnel C2 communication traffic and retrieve malware payloads.

Many malware campaigns, such as SUNBURST, OilRig, xHunt and DarkHydrus, use DNS tunneling technology. The permission policy for DNS traffic allows attackers to access the Internet, and a large amount of benign DNS traffic becomes a natural disguise for attackers to hide their footprints.

How to perform DNS tunneling

Two main components are required to perform DNS tunneling: client and server. The client sends DNS packets to the Internet, encodes the content via a DNS query, and decodes the content from the DNS response. The server receives a DNS query from a recursive resolver, decodes the content from the DNS query, and encodes the content into a DNS response.

The following figure shows the execution process of DNS tunnel:

In the above diagram, the client will first encode the sensitive data value into the subdomain $secret and send it as a DNS query request to $secret.badsite[.]com. Next, the resolver iteratively queries name servers at different domain levels until it gets a valid response. Similarly, the server component (name server) can also encode the malicious payload into the subdomain $payload and send a DNS response (CNAME $payload.bs[.]com) to $secret.badsite[.]com.

Instead of sending the raw data, we typically encode and segment the data using an encoding algorithm. Virtually anyone can come up with an algorithm to fragment data.

There are also many ready-made open source DNS tunneling tools, such as iodine, DNSStager, dnscat2, sliver, and Cobalt Strike . These tools support encoding of generic messages into subdomains of DNS queries and various types of DNS responses such as A (IPv4 address), AAAA (IPv6 address), TXT, CNAME, and MX.

Applying DNS tunneling technology to C2

C2 is the most common application scenario of DNS tunneling technology. The same activity can share some characteristics, such as using the domain name server used for communication as C2, or using common tunneling tools to implement encoding and decoding.

The first example targeted the malicious activities of an organization in the financial field. We observed communications between 22 tunnel domain names and the same target user.

These domains shared 7 nameserver IPs and used the same underlying coding tools. The attackers even applied for seemingly identical security/cloud provider domain names in an attempt to evade detection.

These domain names include:

panos[.]ltd

ciscocloud[.]space

ubrella[.]online

msft[.]center

mscd[.]store

awsl[.]site

We've listed these domains with their sample queries, nameserver domains, and nameserver IPs in the table below:

domain name

Query sample

domain name server

Domain name server IP

panos[.]ltd

10.eff89fcf44a13186ad3765f35860ce19c722c4bcda6bbbae6b7bab6025b36d0.d036b5a3fd8b67e55ee35feff7d014fdb8d32afe93d5d6f05f1dda3a096e8fa.2e10d 53e935549b3a081982724c3e6f806.oak.panos[.]ltd

bur.panos[.]ltd

34.92.43[.]140

ciscocloud[.]space

10.a6674ae5d37cab7263074adef14925ef28698896b8491276097a470beca325a.669f12d4b31e9a6707ce2ee5b595cb723f40ea6d8e5f406b8fba874c8bec632.32 99de58f43c3e4be80a7d7db2a2ed5aee9e13bac9cb.habit.ciscocloud[.]space

bram.ciscocloud[.]space

34.92.43[.]140

ubrella[.]online

8.d4fee8aa63e4ee6435452f86e84464168e96e314eb1a19c45e0e76f3ca71b2a.e9476062765ba0aeaeea97333805f09470ff3bd103e3ce8bd3ffefa3dfea90f.369c d352a204e9662db180407f1d1b8fa87be97c81d1.feign.ubrella[.]online

rumor.ubrella[.]online

34.92.43[.]140

mscd[.]store

4.a6gpmbnqbjewgwnqnlivwhleux4vnnyiuduyqgjkyn9jcihsttpdbdenf7lx8jx.jqhdulrejthsyipzvoleyvhv5s99nydtj5um8bzdmdms9gwdqnq46yis5hvbryo.dernuvjw7a6p6ndq4c8lwomsl7 zq5lncgsutndxfpaufefhr7xxeuhfpk8hs.sny7htmpdpqdcumtgrmeptytbe9p78skry64.17328.fish.mscd[.]store

rug.mscd[.]store

35.194.255[.]111

awsl[.]site

1.758fcd0ac2301084ef82efb047050ff5e7d45b4cd636b46e4292b67acac5ab0.a1644dfde400b8d41e7b6ec37338c45d34a8e9ed81173e8dffdf57ebb3c9e30.9fc 12877d608dfca610d50a121acbd30b2450391c13a.mud.awsl[.]site

lkas.awsl[.]site

35.194.255[.]111

msft[.]center

10.c5f310abb43603a3af324ee92bea16c8132ec2909fbca8d1036fe409d33af9b.c8c30e936bffb9f93bcba2c27682dcca1ab79aced6d1cf015a11d56a9c2f9f5.c49d8 757a19b693d78d1772977cbf164e2748b57bb9f.ud.msft[.]center

08e099da.msft[.]center

34.81.65[.]4

Our second example is an activity targeting another financial industry client. We found that the three tunnel domain names all pointed to the same client and used the same underlying tunneling tool - Cobalt Strike. The representative characteristics of Cobalt Strike include the use of common Prefixes, such as www, post, api, etc.

The three domain names are identity-mgmt[.]com, internalsupport[.]info and cloud-enrollment[.]com. The following are the corresponding query samples, domain name servers and IP addresses:

domain name

Query sample

domain name server

Domain name server IP

cloud-enrollment[.]com

api.12abc2cb5.446f35fa.dns.cloud-enrollment[.]com

ns1.cloud-enrollment[.]com

3.238.113[.]212

identity-mgmt[.]com

intact.md.180.02d8f18d2.7e8986be.int.identity-mgmt[.]com

ns1.cloud-enrollment[.]com

3.238.113[.]212

internalsupport[.]info

icr.0325e18d8.16ae9fb2.pl.internalsupport[.]info

dn.internalsupport[.]info

3.238.244[.]129

Summarize

Now, more and more network gangs are applying DNS tunnel communication technology to various places, including C2 servers and VPN services. Therefore, as a security defense personnel, it is very important to understand the utilization of DNS tunnel technology in the wild. Only by understanding the underlying tools and related activities of DNS tunnel communication can we achieve fine-grained analysis and achieve rapid response to security incidents. .

Indicators of Intrusion Threat IoC

domain name

panos[.]ltd

ciscocloud[.]space

ubrella[.]online

mscd[.]store

awsl[.]site

msft[.]center

cloud-enrollment[.]com

identity-mgmt[.]com

internalsupport[.]info

claudfront[.]net

allowedlisted[.]net

hsdps[.]cc

rcsmf100[.]net

hammercdntech[.]com

IP address

34.92.43[.]140

35.194.255[.]111

34.81.65[.]4

3.238.113[.]212

3.238.244[.]129

5.252.176[.]63

83.166.240[.]52

5.252.176[.]22

194.31.55[.]85

65.20.73[.]176

Other references

https://unit42.paloaltonetworks.com/tag/dns-tunneling/

https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/

https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

https://www.bamsoftware.com/software/dnstt/

https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/

https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

Reference sources

https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild/

Author of this article: FreddyLu666, please indicate the source of reprint from FreeBuf.COM