Information Technology Reference
In-Depth Information
Fig. 1.
Entities involved in a DNS Tunnel
The potential use of DNS queries as covert channels had taken to the development
of proper DNS Tunneling tools aimed at hiding information inside the DNS re-
quests/responses, using a customized client on the user machine and a colluded DNS
server outside the organization, in the destination domain. A DNS Tunneling tool
embeds data in DNS queries and delivers DNS requests and responses between the
tunneled client and a rogue server, exchanging information in proper fields of DNS
packets. The rogue server can then forward the received data to another destination
client.
Each DNS Tunneling tool adopts its own strategies for building tunnels between the
client and the rogue server, resulting in covert channels that show different characteris-
tics. However, DNS covert channels (and tools) can be divided into two classes: (1)
IP
over DNS
where IP packets are embedded and delivered through the tunnel, and (2)
TCP over DNS
that embeds one or more TCP-like communication channels, allowing
the establishment of an SSH connection (or any kind of TCP connection) in the tunnel.
Currently, there exist only few working and reliable DNS Tunneling tools, in particular
for the second category. Each tool shows a unique strategy that has different aftermaths
and backlashes on the legal DNS servers and network traffic. Thus, the possibility to
relate some specific performance patterns to a proper DNS tool would be useful for a
detection system to recognize the presence of a DNS tunnel.
To the best of our knowledge, a comprehensive and deep performance evaluation
of all the current state-of-the-art in DNS tunneling tools has not been made yet. Thus,
the aim of this paper is to provide a first attempt to compare distinct DNS Tunneling
tools by characterizing their performance and the impact they have on the network.
The paper is organized as follows: Section 2 points out the related works on convert
channels and, in particular, on DNS tunnels; Section 3 provides an introduction to cur-
rent DNS Tunneling Tools. Section 4 introduces the testing network architecture, the
network scenarios (i.e. proper configurations of the general architecture) and the metrics
we used in our tests. Section 5 provides an analysis of the results and a characterization
of each tool in term of network performance. Finally, Section 6 concludes the paper.
2 Related Works
Due to the growing proliferation of covert channels, many research activities have
been focused on recognize unexpected patterns [7] or hidden information in plain and
ciphered network protocols. Plain protocols (e.g. http) can be exploited to build covert
channels. In particular, SSH can use HTTP to force the restriction of a firewall. In [4],
HTTP traffic is analyzed in order to recognize covert channels built by Skype
Search WWH ::
Custom Search