{"id":3455,"date":"2016-04-26T17:15:30","date_gmt":"2016-04-26T17:15:30","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=3455"},"modified":"2025-04-01T12:25:32","modified_gmt":"2025-04-01T19:25:32","slug":"analysis-on-popular-dns-tunneling-tools","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/analysis-on-popular-dns-tunneling-tools\/","title":{"rendered":"Analysis on Popular DNS Tunneling Tools"},"content":{"rendered":"

In the past few years, I did some in-depth research and analysis on many popular DNS tunneling tools[1]<\/sup>\u00a0including DNS2TCP[2]<\/sup>, TCP-over-DNS, OzymanDNS, Iodine, SplitBrain, DNScat-P\/DNScat2, DNScapy, TUNS, PSUDP, YourFreedom etc. Although most DNS Tunneling tools are implemented in different languages and\/or may have different features and settings, they share the same concept and achieve the same goal, which is trying to bypass the traditional IPS or firewall inspection and network security policy to reach the Internet. They can do data exfiltration by relaying TCP connections over DNS tunneling<\/strong><\/a>, which is hard to detect and block.<\/p>\n

In this blog, I will show my work on one of the\u00a0DNS tunneling tools<\/a>, DNS2TCP, to explain how DNS tunneling works and analyze its network traffic pattern\/behaviors. DNS2TCP is one of data exfiltration tools that supports SSH, SMTP, POP and other TCP connections over DNS protocol.<\/p>\n

1 DNS2TCP Test-bed Setup<\/h1>\n

1.1\u00a0\u00a0\u00a0\u00a0\u00a0 How DNS2TCP works<\/h2>\n

Like most tunneling technologies, DNS2TCP requires a public domain which can be used for the DNS tunneling. Once a public domain is configured and DNS2TCP software is installed, we can start DNS2TCP tool to run SSH\/POP\/SMTP or any other applications.<\/p>\n

Figure 1 shows the detailed steps on how DNS2TCP works.<\/p>\n

    \n
  1. Start DNS2TCP client from the laptop (in our setup, the IP address is 192.168.212.71), which has a default DNS server configuration (in our setup, the IP address is 192.168.212.11). When a user configures the DNS2TCP and starts an SSH session, the DNS2TCP client software will encapsulate SSH payloads into multiple subdomains on the pre-configured public tunneling domain and send these DNS subdomain requests to DNS server.<\/li>\n
  2. Most domains can be resolved by DNS server without any issue, but for the DNS tunneling domain, (in our setup, I am using a fake domain, dns2tcp.tunnel.srt.blox), the DNS server cannot resolve them and will forward the request to the DNS2TCP server (the IP address is 192.168.212.81).<\/li>\n
  3. The DNS2TCP server receives the DNS request, decapsulates the payload, and uses as a proxy to connect to the Internet resource. In our testbed, I setup an SSH server (192.168.212.91) as Internet resource.<\/li>\n
  4. Then Internet resource responds to the request and sends the payload to the DNS2TCP server.<\/li>\n
  5. The DNS2TCP server encapsulates the response payload from the Internet into DNS response packet, and sends back to the DNS2TCP client. The DNS2TCP client receives the DNS response traffic and decapsulates them. Then the client is able to receive all the response traffic from the Internet resource.<\/li>\n<\/ol>\n

    \"Figure<\/p>\n

    Figure 1. How DNS2TCP works<\/p>\n

    1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Testbed Topology<\/h2>\n

    I used Fedora release 12 as a host machine, and installed VMware Workstation 11. I setup the whole testbed using the VMware workstation guests. I created four guests below:<\/p>\n

      \n
    1. DNS2TCP client, which is an Ubuntu OS guest using network adaptor as NAT (i.e. vmnet8). Inside the Ubuntu, network address is statically configured as 192.168.212.81, and the network nameserver is configured as 192.168.212.11. The package DNS2TCP is installed.<\/li>\n
    2. DNS2TCP server, which is also an Ubuntu OS guest using network adaptor as NAT(i.e., vmnet8). It has almost the same configuration as DNS client, but IP address is configured as 192.168.212.71. The package DNS2TCP is also installed on this machine.<\/li>\n
    3. Internet Resource (SSH Server), which is an Ubuntu OS guest as well. It serves as an Internet resource, and has SSH server, SMTP server and HTTP server installed. It has the same DNS nameserver configured, 192.168.212.11, and its static IP address is 192.168.212.91.<\/li>\n
    4. DNS Server. I use Infoblox vNIOS as the DNS server. It has a static network IP address, 192.168.212.11. I add a special DNS zone, dns2tcp.tunnel.srt.blox, for the DNS tunneling use. It is configured as a forward zone, which forwards DNS queries to DNS2TCP server, 192.168.212.71. The configuration is shown in Figure 2.<\/li>\n<\/ol>\n

      \"Figure<\/p>\n

      Figure 2: DNS tunneling domain: dns2tcp.tunnel.srt.blox<\/p>\n

      1.3 DNS2TCP Installation and Configuration<\/h2>\n
        \n
      1. DNS2TCP Server<\/li>\n<\/ol>\n

        First I install dns2tcp package in the Ubuntu guest OS.<\/p>\n

        apt-get install dns2tcp<\/p>\n

        Then I configure the DNS2TCP server options. The listing IP address is its local network interface 192.168.212.71, and the port number is the DNS port tcp\/53. The domain we will use for DNS tunnel is dns2tcp.tunnel.srt.blox.<\/p>\n

        Since the DNS2TCP server has an IP address is 192.168.212.71, we put the listing IP address on this interface, and port number to be 53. \u00a0In this study, I only focus on SSH session over DNS tunneling.<\/p>\n

        \"Figure<\/p>\n

        Figure 3. \u00a0Configuration on DNS2TCP Server<\/p>\n

        Last, I start DNS tunneling daemon by running the command below.<\/p>\n

        dns2tcpd \u2013F \u2013d 3 \u2013f config.dns2tcp.tunel.srt.blox.txt<\/p>\n

          \n
        1. DNS2TCP Client<\/li>\n<\/ol>\n

          Similar to DNS2TCP server, first we need to install dns2tcp package in the Ubuntu guest OS. Second we configure the DNS2TCP client as follows.<\/p>\n

          \"Figure<\/p>\n

          Figure 4. Configuration on DNS2TCP Client<\/p>\n

          At last, we run DNS2TCP application as proxy in the client,<\/p>\n

          dns2tcpc \u2013d 3 \u2013f config.dns2tcp-client.txt<\/p>\n

          Now, we can start SSH session to the SSH server 192.168.212.91 using DNS tunneling.<\/p>\n

          ssh jxia@127.0.0.1 \u2013p 2222 \u2013D 8081<\/p>\n

          It should be able to connect to the SSH server through DNS tunneling channel.<\/p>\n

          2\u00a0DNS2TCP Network Capture<\/h1>\n

          2.1\u00a0\u00a0\u00a0\u00a0\u00a0 Wireshark<\/h2>\n

          I install Wireshark pcap tool\u00a0[3]<\/sup>\u00a0on the DNS2TCP client to capture all the traffic that we have seen during the experiments. In order to reduce the noise and irrelevant packets, I apply capture-filters in Wireshark and only capture the DNS traffic on port 53 on the network interface.<\/p>\n

          2.2\u00a0\u00a0\u00a0\u00a0\u00a0 Testing Cases<\/h2>\n

          In order to study the DNS tunneling traffic on different use cases and scenarios, I captured the DNS2TCP tunneling traffic for the following testing cases:<\/p>\n