Tailored Cyber Security.

DNS Exflitration

I mentioned DNS Exfiltration in a previous post. What is it? Let’s find out!

I tweeted out a higher level document from Defcon about DNS exfiltration. However, the first line says, “We assume the knowledge of how it works.”

I don’t assume that knowledge. Let’s cover it from the ground up.

DNS or Domain Name Resolution turns host names to IP addresses or vice versa. DNS servers are in charge of that so instead of going to 74.125.227.133 you can go to google.com. How can you possibly get data out of anywhere with that? Well it’s a little intricate but not too bad.

First, you need to set up your own DNS server. You’ll also need your own hostname. It makes things a lot easier if that server is the authoritative server for your hostname.

Note: You could do all of this without your own stuff, you’d just need to hack a DNS server and/or poison some requests. We won’t get into that here though.

Now that you have your very own hostname and DNS server we’ll get started. Hypothetically, you’ve compromised a system or penetrated a network that you’d like to start siphoning information from. A straight up TCP connection may be a bit too obvious.

Note: A unencrypted TCP connection over a weird port would look obvious. What about an encrypted connection over TCP 443 (HTTPS) going to a benign looking address?

You decide to go with DNS exfiltration! Why’s that? It runs over UDP so nobody ever looks at it or cares! Not fully true but it is more often than not. So, you write a script, or use a program already made, to make DNS requests. You send a request to imnotabadguy.com+yourdatahere and it will request the IP to that domain. Since you have the DNS server with the ultimate answer to what the IP is, the request will be made to it every time a unique request is made. Thus, every time a new chunk of data is sent it will make it to the server.

Now, for the server side. Very simply, you have a script on your server to look for specific strings as a tip off it needs to be rebuilding data. For example, the “+” in the above request would tip off the script that everything after it is data. The script would then put it into a file or do what ever it needs to do with it. After some time, you’ve got stolen data! Congratulations!

DNS exfiltration is typically done in a “low and slow” fashion. It pushes out an incredibly small amount of data at a very slow rate. It could take months to get even normal sized files!

Finally, you don’t have a ton to worry about as a home user with DNS exfiltration. However, the bad news is that that’s because any attacker will probably do it over an encrypted connection that looks fully legitimate. That way they can pump the data out with no restrictions.

Leave a Reply