In February, we released Vercara UltraDNS Detection and Response, or UltraDDR.  This is a filtering DNS resolver powered by a decision engine that is powered by a vast data lake of attacker DNS infrastructure making it the highest efficacy product on the market.  As soon as we launched the product, we had customers asking about our ability to detect and block data exfiltration and tunneling via DNS.  Detecting this kind of activity and blocking it is one of the most powerful features of UltraDDR and it is something that we do better than any other solution. 

The concept behind basic DNS file exfiltration is fairly straightforward.  DNS is a protocol that enterprises must allow outbound access for, so firewalls typically allow outbound connections on UDP port 53 to DNS servers. DNS exfiltration takes advantage of this by encoding data that the attacker wants to exfiltrate inside legitimate-looking DNS traffic. A malicious authoritative DNS server deployed on the internet can extract the data from the DNS traffic it receives effectively evading enterprise defenses. 

To extract data via DNS, and given a file that you want to extract, attackers perform the following steps: 

1. Set up a domain and authoritative DNS server to receive queries 
2. Encrypt the data that they want to exfiltrate (optional) 
3. Encode the data into a character set that is DNS-compatible (0-9, a-z) 
4. Break the encoded data into “chunks” that are 53 characters or less in length 
5. Prepend each chunk to a domain to make a Fully-Qualified Domain Name (FQDN) 
6. Query for each FQDN against a local recursive DNS server that will forward the queries to the authoritative DNS 
7. Receive each query on the authoritative DNS and reverse the process to extract the file. 

Tunneling works similarly except that instead of transferring files, the attacker transfers network packets or HTTP requests.  To do tunneling or more advanced exfiltration, both the endpoint tool and the authoritative DNS server have to understand flow control, meta-commands, and even how to encode TCP into DNS. 

Data Exfiltration Through DNS That Is in Use Today. 

Not only is DNS exfiltration and tunneling possible but it’s also used today because it works. DNS queries are common on networks and in such a volume that it’s hard to inspect them all individually, much less correlate activity across multiple queries. 

There are many tools that do DNS exfiltration and tunneling: 

• DNS Steal https://github.com/m57/dnsteal  
• Iodine https://code.kryo.se/iodine/  
• Dns2TCP https://www.aldeid.com/wiki/Dns2tcp  
• DNSCat https://github.com/iagox86/dnscat2  
• Arecibo https://www.tarlogic.com/blog/arecibo-exfiltration-tool/  
• And many others 

MITRE ATT&CK is an enumeration of cyberattackers, tools, and techniques. The technique T1071.004 https://attack.mitre.org/techniques/T1071/004/ explains exfiltration, tunneling, and command and control (C2) over DNS and lists over 45 tools, malware families, and attacker groups that use it. 

T1071.004 also lists 2 mitigation methods, of which M1071 is directly relevant to UltraDDR: 

“Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premises/proxy servers may also disrupt adversary attempts to conceal data within DNS packets.” 

Auditors Are Checking for DNS Tunneling & Data Exfiltration. 

Once attacker techniques and tools get added to ATT&CK, they also get added to the playbooks for red and purple teams.  In simulating attacker behavior, testers will check to see if they can use DNS for exfiltration and tunneling, if it is blocked by security controls, and if it is detected by the blue team and SOC operations staff. 

This also means that DNS exfiltration and tunneling end up as audit findings and risks and these get put into risk registers so that it is tracked, monitored, and addressed within the organization’s overall risk management process.  It has been incredibly common over the past 2 years that organizations have been looking for preventative control for DNS exfiltration and tunneling. 

UltraDDR Detects and Blocks DNS Tunnel & Data Exfiltration Traffic.

And that brings us full circle to UltraDDR and what our customers are asking for: detection and blocking of DNS exfiltration and tunneling. UltraDDR is designed to protect networks and endpoints by blocking, or redirecting, malicious DNS requests such as phishing, malware distribution, command-and-control communication, data exfiltration, and DNS tunneling.  

UltraDDR is powered by an adversarial infrastructure data lake that is a large-scale repository of historical and real-time data that contains information about known malicious domains, IP addresses, command-and-control servers, malware signatures, and other indicators of compromise (IOCs) collected from various sources, such as previous attacks, threat intelligence feeds, and security research. 

In the next blog post of this series, we will discuss how UltraDDR detects and blocks DNS exfiltration and tunneling. And in the last of the series, we will discuss testing the detection and demo a tool that written to simulate exfiltration.