As far as we can tell, the first discussion of this attack was from Oskar Pearson on the Bugtraq mailing list in April of 1998.īy 2004, it was being presented at Black Hat as a technique- see Dan Kaminsky’s presentation. This encoding would get past simple detection software that’s searching on plaintext patterns.Īnd that’s DNS tunneling! DNS Tunneling Attack HistoryĮverything has a beginning, including the idea of hijacking the DNS protocol for hacking purposes. Hackers can use base32, base64 or other character sets, or even encrypt the data. The “tunneling” part of this attack is about obscuring the data and commands to avoid detection by monitoring software. This would allow them to return messages hidden in various DNS response fields to the malware they loaded on the victim’s computer - direct it to, say, search this folder, etc. With the hackers in control, they then fake responses and send data back to the target system. After all, why would a DNS request be anything other than legitimate? Then they could scoop up the data- social security numbers, etc.-without necessarily being spotted. Suppose hackers were in control of the DNS server. What if a hacker snuck a message into a DN query? For example, instead of typing a legitimate URL, they entered the data they wanted to exfiltrate, say like this:
There are other queries you can make wherein the DNS protocol responds with various fields of data, which as we’ll soon see can be exploited by hackers.Īnyway, under the hood, the DNS protocol carries the query to the server, and the response back to the client. In the language of the DNS protocol, I made an address or “A” query. Notice the protocol responded, in this case with the IP address of the domain. You can look up an address just by entering the domain name, kind of like what I did below: If you want to see how it works, you can try accessing nslookup, the go-to tool to query DNS. There’s a protocol for everything on the Internet, and DNS supports a fairly simple query-response protocol.
0 kommentar(er)
