A bot is a compromised machine by malware that enables the bot to be remotely controlled by the attacker (Botmaster) via a Command and Control (C&C) Server. A botnet is a collection of compromised machines (bots) under control of a Command and Control (C&C) Server.

Botnet’s C&C communication channel refers to the protocol used by the bots and its C&C Server to communicate with each other. DNS Tunnel exploits DNS protocol for tunnelling arbitrary data via DNS query and response. DNS Tunnel can be used for C&C server communication, data exfiltration and tunneling of any Internet Protocol (IP) traffic via DNS Protocol. To leverage DNS Tunneling as C&C communication channel the attacker embeds DNS Tunneling mechanism in the malware’s binary and the malware binary is also hard coded with the domain name where the C&C server was hosted. To establish connection with the C&C server, the bot would send DNS query to resolve the IP address of C&C server.

DNS Tunnel uses a client server model, where the user’s computer (malware infected bot) runs DNS Tunneling client program and the attacker runs DNS Tunneling server program on his authoritative DNS server (C&C Server). The client sends data encoded in hostname label of a DNS Query and the server sends data encoded into the Resource Record (RR) of a DNS Response packet.

DNS Tunneling program (or malware) encodes the payload data within DNS Query packet by using base64 encoding scheme then transmits the payload data as DNS Query to the server. Payload data is prepended as the hostname of a DNS Query. The server responds the query with its base64 encoded payload data in DNS Response packet by using RDATA field of various DNS Resource Record (RR) types. TXT, NULL and CNAME records are the most commonly used in DNS tunneling.

For example:

If the attacker registers the domain example.com then data can be transmitted as a DNS request to <base64_encoded_data>.example.com

  • The client computer could send an A record query where the data is encoded within the hostname.

DNS Query: gewsSqJhs7AopOS34f32fgqqe.example.com

  • Then the server could send any command/data by responding to the A query with a CNAME record as response.

DNS Response: ZwsAq5sT43jgcDkhuH6rsp.example.com

In DNS tunneling scenario, attacker registers a domain name, e.g. example.com. Then points its nameserver records towards the server where DNS tunneling server program is running. The server acts as an authoritative name server for that domain name and its sub-domain to facilitate server-side tunneling and decapsulating the payload data by running DNS tunnel server daemon on the server.

On the compromised machine (Bots) DNS tunneling client program (malware) read the data to be exfiltrated line by line. Slices the data into small chunks and performs base64 encoding on each line. Then encapsulates the base64 encoded data as subdomain labels suffixed with the attacker’s domain name in a DNS query and sends that query to the Recursive DNS Server. The Recursive DNS Server, Root, and TLD Servers process the DNS query, by locating the name server authoritative for attacker’s registered domain name and directing the “DNS query” to that server. When the DNS query with payload data arrives on to the authoritative DNS server of the attacker’s registered domain, the attacker can track down those DNS queries logs, parse them and decode the base64 encoded labels (subdomains) to reassemble the stolen data from the client (Infected bot). Then the server sends back DNS Response to the client containing new command encoded into Resource Record (RR) in DNS Response packet. That’s how data is transmitted back and forth using DNS Tunnel. DNS responses have low TTL value to avoid caching. DNS protocol does not allow the server to initiate a connection with the client; the client needs to periodically send query to pull new command from the attacker’s DNS server (C&C Server).

DNS Tunneling and Data Exfiltration

Tunneling Data and Commands Over DNS

 

Refer to the illustrated figure above; The attacker infects a user computer of an organization with a malicious malware. The organization has a Firewall to monitor and block malicious traffic. Web browsing and most other communication from local computers to the Internet relies on the DNS service. For that reason restricting the DNS communication can cause disruption of legitimate connectivity. Therefore DNS protocol is always allowed to outbound/inbound in Firewall. And attacker takes this advantage to employ DNS tunneling as covert communication channel for C&C server. It’s very hard to differentiate the benign and malicious usage of DNS protocol for the traditional Firewall or IDS.

  1. Attacker registered a domain name hack.com. And its Name Server has pointed to the attacker’s C&C server where DNS Tunneling server program is installed. Since the Malware binary is hard coded with the domain name hack.com so all the DNS Query made by the malware will be forwarded to the attacker’s C&C server.
  2. The malware stole sensitive username and password data then sends those data as a DNS query to the Recursive DNS Server.
  3. The Recursive DNS Server tries to resolve the DNS query by checking its DNS cache but it cannot resolve the domain from its cache so it recursively forward the DNS query packet through the Firewall to the Root Server, TLD Server, finally the DNS query is routed to the attacker’s C&C Server (Name Server) where the DNS tunneling server program is running.
  4. Attacker track down DNS Queries with stolen data from server query log then decrypts the DNS Query and gets the username and password.
  5. Attacker’s Nameserver (C&C Server) sends back DNS Response with new command encoded into Resource Record (RR) back to the infected host.

That’s how botmaster can establish two way transactional communication channel using DNS Tunnel.

Upstream Payload Size (In DNS Query):

Fully Qualified Domain Name (FQDN) is formed with series of labels separated by periods. Basically FQDN has three part [Hostname].[Second-level Domain].[TLD] where the second-level domain might also include subdomain. FQDN also require a period at the end. e.g. label2.label1.domain.com.

DNS Tunnel utilizes the hostname label for upstream data. The amount of data that can be exfiltrated in each DNS Query packet is limited by the length of domain names. The maximum length of a FQDN is 255 characters including dots, with each label (subdomain) limited to 63 characters. The malware (Bot) uses maximum 63 characters in FQDN label to encode payload data within a DNS query.

Downstream Payload Size (In DNS Response):

DNS Tunnel utilizes various Resource Record (RR) for downstream data. The TXT record has the 255 octets limit for storing data in the RDATA field. The CNAME record has also limitation of 255 octets for data storage.  And the NULL record allows 65535 octets. Besides these mostly used Resource Record, there are some other RR which is also used for DNS Tunneling. “Sending DNS packets over UDP are restricted to 512 bytes (not counting the IP or UDP headers)”, (RFC1035). To increase the payload size EDNS0 (Extension Mechanisms for DNS) can be used. An EDNS0 compatible server receiving a request from an EDNS0 compatible client may send UDP DNS packets over 512 Bytes limit.

 

DNS based covert Command-and-Control (C&C) channel is extremely robust, hard to detect and provide extra resilience and mobility to the C&C server. Botnets C&C communication over covert DNS Tunnel can be easily disguised as legitimate traffic and because DNS is always allowed in Firewall rules the malicious traffic can bypass the firewall easily. This makes the DNS Tunnel ideal for malwares covert communication channel and botmasters take advantage of DNS Tunnel to perform various malicious activities. Employing DNS Based C&C communications and rallying mechanism ensures attackers to mitigate takedown by removing single point of failure (SPOF). If one C&C server was taken down, attacker can set up another C&C server with a different IP address by updating DNS record. Domain Fluxing using DGA and implementation of Fast Flux makes it even more difficult for the security researcher to take down the C&C server.