HOW DNS TUNNELING WORKS AS C&C COMMUNICATION CHANNEL FOR BOTNET



DNS tunneling is a technique which exploits DNS protocol for tunneling data via DNS query and response packet. DNS tunneling requires the compromised machines (malware infected bot) to run a DNS Tunneling client program besides the attacker runs a DNS Tunneling server program on his authoritative DNS server (C&C Server). The DNS client program sends data encoded in the hostname label of a DNS Query and the server sends data encoded into the Resource Record (RR) of a DNS Response packet. DNS Tunnel can be used for C&C server communication, data exfiltration and tunneling of any Internet Protocol (IP) traffic via DNS Protocol.


Botnet’s C&C communication channel refers to the protocol used by the bots and its C&C Server to communicate with each other. To leverage DNS Tunneling as C&C communication channel the attacker embeds DNS Tunneling mechanism in the malware’s binary and the malware binary is also hard coded with the domain name where the C&C server was hosted. To establish connection with the C&C server, the bot would send DNS query to resolve the IP address of C&C server.


DNS TUNNELING EXPLAINED:

DNS Tunneling program (or malware) encodes the payload data within DNS Query packet by using base64 encoding scheme then transmits the payload data as DNS Query to the server. Payload data is prepended as the hostname of a DNS Query. The server responds the query with its base64 encoded payload data in DNS Response packet by using RDATA field of various DNS Resource Record (RR) types. TXT, NULL and CNAME records are the most commonly used in DNS tunneling. For example:

If the attacker registers the domain example.com then data can be transmitted as a DNS request to <base64_encoded_data>.example.com

  • The client computer could send an A record query where the data is encoded within the hostname.

DNS Query: gewsSqJhs7AopOS34f32fgqqe.example.com

  • Then the server could send any command/data by responding to the A query with a CNAME record as response.

DNS Response: ZwsAq5sT43jgcDkhuH6rsp.example.com


In DNS tunneling scenario, attacker registers a domain name, e.g. example.com. Then points its nameserver records towards the server where DNS tunneling server program is running. The server acts as an authoritative name server for that domain name and its sub-domain to facilitate server-side tunneling and decapsulating the payload data by running DNS tunnel server daemon on the server.


DATA EXFILTRATION VIA DNS TUNNELING:

On the compromised machine (Bots) DNS tunneling client program (malware) read the data to be exfiltrated line by line. Slices the data into small chunks and performs base64 encoding on each line. Then encapsulates the base64 encoded data as subdomain labels suffixed with the attacker’s domain name in a DNS query and sends that query to the Recursive DNS Server. The Recursive DNS Server, Root, and TLD Servers process the DNS query, by locating the name server authoritative for attacker’s registered domain name and directing the “DNS query” to that server. When the DNS query with payload data arrives on to the authoritative DNS server of the attacker’s registered domain, the attacker can track down those DNS queries logs, parse them and decode the base64 encoded labels (subdomains) to reassemble the stolen data from the client (Infected bot). Then the server sends back DNS Response to the client containing new command encoded into Resource Record (RR) in DNS Response packet. That’s how data is transmitted back and forth using DNS Tunnel. DNS responses have low TTL value to avoid caching. DNS protocol does not allow the server to initiate a connection with the client; the client needs to periodically send query to pull new command from the attacker’s DNS server (C&C Server).