{Will update this as I go…}

My recent work has focused on a particular form of DNS-based covert channel that encodes its payload into the slack space in DNS query names. Each ASCII character in a domain name is stored as 8 bits and is referred to as an octet. A fully qualified domain name (FQDN) is expressed in terms of a sequence of labels. Each label is represented as a one octet length field followed by that number of octets. The maximum size for any FQDN name is 255 octets including the length octets and the root. Therefore, in terms of ASCII characters, the maximum size of a FQDN is 253 octets, given that two of the 255 octets are accounted for by the leftmost length octet and the root.

One approach to hiding C2 and data exfiltration traffic is to embed malicious communications within “normal looking” network packets. Analysis of known ATPs such as Auora, Zeus, and PoisonIvy has shown that ATP creators can use many different forms of C2 ranging from the use of IRC Channels, HTTP/HTTPS Web Traffic, social media channels such as Twitter and DNS.

DNS was originally proposed in 1987 by Paul V. Mockapetris and Jon Postel (RFC 1035) as a solution to the problem of keeping track of the increasing number of machines and IP addresses joining the World Wide Web. DNS is basically the telephone book of the Internet. Every time a user types a URL into their browser, DNS kicks into action to translate the human readable domain name into a machine understandable IP address. Without DNS, humans would need to store the IP address of each and every website they wished to visit. Historically this was achieved by maintaining a local hosts file with entries that associated IP addresses with domain names. As the Internet expanded this approach became totally impractical and a more global solution to domain name lookup was required.The reliance on DNS makes it an ideal channel to use for covert communications.

If you read the research on covert channels over DNS you will find that many authors make reference to the fact that DNS is often overlooked in terms of security. This makes intuitive sense, if you block DNS, you essentially block everything. In recent years DNS has made an appearance on more cyber security radars because of malware such as Conficker and hacking techniques that attempt to divert traffic away from its intended destination by poisoning the cache (DNS spoofing) stored on DNS servers.

The security focus on DNS has given rise to organisations such as OpenDNS, who were recently acquired by Cisco, that make it their business to detect DNS anomalies and provide early warning services to customers who use their security products. Most of the efforts made by the security community to secure DNS have focused on the addressing aspects of the service. OpenDNS in particular has made progress in detecting attack strategies that use domain name generation algorithms (DGAs) in order to associate constantly changing IP addresses with domain names that are used for malware propagation and C2 communications.

Stephen Sheridan