A discussion on covert DNS traffic

DNS is everywhere, but is it always being used for legitimate purposes? Did you know you can run a VPN over DNS for free WiFi?

A discussion on covert DNS traffic
Photo by Joe Gadd / Unsplash

Introduction

The Domain Name System (DNS) has from its inception in the late 1980s, seen itself become an essential part of computer networking. Its operation is critical for most of the applications and protocols we interact with daily. Ensuring is proper operation is a must-win-battle for any network administrator. This seemingly simple protocol has some unintended uses which are often overlooked by network administrators. A DNS threat report from 2017 revealed that 25% of organizations in the US experienced some form of data exfiltration via DNS, where 25% of these had either customer data or intellectual data stolen. With so many systems being heavily entangled and reliant on the operation of DNS, adding restrictions to the system to increase security comes with the added risk of applications and services not running as they should, This results in a dilemma for network administrators who must balance security and functionality. Disabling DNS, even in locked down networks is often infeasible.

There are many examples of where internet-limited networks require functional DNS. Take the example of a WiFi hotspot with captive portal login. If a TLS is to be used in the user authentication process, then DNS must be present as HTTPS relies on it for authenticating the login page. Corporate networks may have sections of the network running mission critical services, hence heavy IP filtering in firewalls. However many of these services may require local host-name resolution or name based load-balancing, requiring a local DNS resolver to be present.

Allowing unrestricted DNS access can have some unintended consequences. This could be many things, such as botnets using DNS to to organize and orchestrate attacks, to more advanced threat actors using it as a side channel for malware command and control communication, potentially circumventing IDS/IPS mechanisms which are focused on monitoring other network protocols on the network. There are other issues such as DNS leakage, however the scope of this post will be limited to covert/side-channel communication over DNS.

The aim of this document is to help network administrators get a better understanding of DNS, and the unexpected consequences of unvetted and unchecked access to the protocol. Exposing how many of these malicious systems function may help network administrators apply this knowledge to protect their own networks. Although there are no one-size-fits-all solutions, having a thorough understanding of the issue may help with planning of network infrastructure, and help reduce incident response times.

Background

We will now take a deep dive into some background information relevant to get a better understanding of the topic at hand. Readers are expected to have a basic understanding of computer networking and some knowledge of DNS.

Command and Control

Malware, botnets, and other forms of malicious software often require some form of external communication for coordination and data ex-filtration. The remote command and control channel (C&C) is a defining characteristic of botnets. A significant amount of research has been done on detecting this traffic to aid in detecting malware infections. These advancements in detection mechanisms have caused botnet owners to take further steps to ensure the resilience of their botnets, especially in regard to their C&C communication. C&C is not limited to botnet use. Other more targeted malware may seek to extract sensitive information from networks, or require some human intervention to achieve further lateral movement within the network. In this case, strict firewall rules may be a challenge, meaning alternate forms of communication must be established to ensure continued operation. The C&C channel can then be used for data exfiltration, or to download additional malware to run on the infected network.