Information Technology Reference
In-Depth Information
A Comparative Performance Evaluation of DNS
Tunneling Tools
Alessio Merlo
1,2
, Gianluca Papaleo
2
, Stefano Veneziano
2
, and Maurizio Aiello
2
1
Dipartimento di Informatica, Sistemistica e Telematica (DIST), University of Genova,
Via All'Opera Pia, 13, 16145 Genova, Italy
alessio.merlo@dist.unige.it
2
Istituto di Elettronica ed Ingeneria dell'Informazione e delle Telecomunicazioni
(IEIIT-CNR), Via De Marini, 6, 16142, Genova, Italy
{papaleo,veneziano,aiello}@ieiit.cnr.it
Abstract.
DNS Tunnels are built through proper tools that allow embedding
data on DNS queries and response. Each tool has its own approach to the build-
ing tunnels in DNS that differently affects the network performance. In this pa-
per, we propose a brief architectural analysis of the current state-of-the-art of
DNS Tunneling tools. Then, wepropose the first comparative analysis of such
tools in term of performance, as a first step towardsthe possibility to relateeach
tool with a proper behavior of DNS traffic. To this aim, we define an assess-
ment of the toolsin three different network configurationswith three different
performance metrics. We finallysummarize the most interesting results and
provide some considerations on the performance of each tool.
1 Introduction
In the last years, Internet has grown so much that any organization from single restau-
rant and hotels to big companies are connected to it. In the same years, the evolution
from early Web to Web 2.0 has seamlessly increased the number of applications
available on the network. Both these aspects have indirectly taken organizations to the
adoption of mechanisms (e.g. firewalls, captive portals) aimed at controlling the ac-
cess to Internet. The reasons can be very different, from censorship in some countries
to the selling of Internet connectivity. In general, such mechanisms acts as filters for
proper network protocols (e.g. HTTP, FTP) while they often allow the transit of ser-
vice protocols (DNS, ICMP) and they can't appropriately filter ciphered ones (e.g.
HTTPS, Skype). Thus, many attempts have been made aimed at exploiting these latter
protocols in order to hide information and build a communication channel to another
system on Internet, avoiding the restrictions of firewalls. To this regard, many re-
search activities [1] [2] [3] have been focused on hiding data into various network
protocols like IPv4, IPv6, TCP ICMP, HTTP and HTTPS, just to cite some.
At present, a particularly interesting covert channel is the DNS tunnel, since DNS
protocol is less filtered by security mechanisms of organizations. For instance, when
dealing with captive portals, if an unauthenticated user tries to connect to a given site,
the captive portal solves the DNS query before requesting credentials to the user.
Thus, this means that each user within the network can produce DNS traffic to reach a
destination over the Internet, independently from the identity of the requestor.
Search WWH ::
Custom Search