Professional Documents
Culture Documents
By:
Meshal AL-Matairi 201311172
1
GRADUATION PROJECT 2
ABSTRACT
DNS tunneling is a method to bypass security controls and exfiltration data from a
network taps and the DNS servers themselves can generate large volumes of data to
investigate. Using Detection system can help ingest the large volume of log data and
mine the information to determine what malicious actors may be using DNS tunneling
techniques on the target organizations network. This report presents the problem we
analysis system to detect and stop the DNS tunnels. It also present a review of the
2
GRADUATION PROJECT 2
ACKNOWLEDGMENT
This project had toke a lot of effort in searching and writing. However, it would not
have been easy to complete this project without any help from Dr Issam, we would
like to thank him for guidelines and feedback thats given to us. Finally, we owe our
3
GRADUATION PROJECT 2
TABLE OF CONTENTS
ABSTRACT .....................................................................................................................
ACKNOWLEDGMENT..................................................................................................
TABLE OF CONTENTS .................................................................................................
LIST OF FIGURES .........................................................................................................
LIST OF TABLES ...........................................................................................................
LIST OF ABBREVIATION ............................................................................................
Chapter 1. INTRODUCTION ..........................................................................................
1.1 BACKGROUND ....................................................................................................
1.2 PROBLEM STATEMENT .....................................................................................
1.3 PROJECT OBJECTIVES .......................................................................................
1.4 PROJECT SCOPE ..................................................................................................
1.5 SIGNIFICANT OF THE PROJECT.......................................................................
1.6 LIMITATION OF THE PROJECT ........................................................................
1.7 PROJECT ORGANIZATION ................................................................................
Chapter 2. LITRATURE REVIEW .................................................................................
2.1 DNS SERVICE .......................................................................................................
2.1.1 Significance of the DNS Service .........................................................................
2.1.2 Types of DNS Servers .........................................................................................
2.1.2.1 Root and TLD Servers ......................................................................................
2.1.2.2 Recursive DNS servers .....................................................................................
2.1.2.3 Caching DNS servers ........................................................................................
2.1.2.4 Authoritative-Only DNS Servers ......................................................................
2.1.3 Types of DNS Record .........................................................................................
2.1.4 DNS Server implementations ..............................................................................
2.1.4.1 AnswerX ...........................................................................................................
2.1.4.2 BIND .................................................................................................................
2.1.4.3 PowerDNS ........................................................................................................
2.1.4.4 Microsoft DNS ..................................................................................................
2.1.4.5 Simple DNS Plus ..............................................................................................
2.1.4.6 YADIFA ...........................................................................................................
2.2 DNS TUNNELING TOOLS......................................................................................
2.2.1 OzymanDNS .......................................................................................................
4
GRADUATION PROJECT 2
5
GRADUATION PROJECT 2
6
GRADUATION PROJECT 2
BIBLIOGRAPHY 95
7
GRADUATION PROJECT 2
LIST OF FIGURES
9
GRADUATION PROJECT 2
LIST OF TABLES
LIST OF ABBREVIATION
IP Internet Protocol
10
GRADUATION PROJECT 2
Chapter 1. INTRODUCTION
1.1BACKGROUND
a network service that the underlying network does not support or provide directly. One
important use of a tunneling protocol is to allow a foreign protocol to run over a network
that does not support that particular protocol; for example, running IPv6 over IPv4.
Another important use is to provide services that are impractical or unsafe to be offered
using only the underlying network services, but sometimes the intruders take advantage
function based on domain names. DNS is not intended for a command channel or
general purpose tunneling. However, several utilities have been developed to enable
tunneling over DNS. Because it is not intended for general data transfer, DNS often has
less attention in terms of security monitoring than other protocols such as web traffic.
This study will talk about DNS service different implementations, comparing different
DNS tunneling tools and analyzing DNS tunneling mitigation techniques, which solve
the problem and many things, by giving a detailed analysis and design study and
propose a prototype of the system that detect and stop these tunnels.
11
GRADUATION PROJECT 2
1.2PROBLEM STATEMENT
DNS is one of the major and important services on any network, so that the security
devices (such as firewalls) allow the DNS traffic to pass to any device in the network,
which some intruders take advantage of it and build tunnels to pass the firewalls and all
A large number of DNS Tunneling utilities exist with a wide range of capabilities. They
provide a covert channel for malicious activities which represent a significant threat to
organizations, DNS tunneling poses a significant threat and there are methods to detect
it. In this phase we want to study, design a traffic analysis system over an IPv4 based
1.3PROJECT OBJECTIVES
The purpose of this project is to study, design and implement a traffic analysis system
to detect and stop the DNS tunnels over an IPv4 based network, to solve any security
problem we should choose suitable and efficient tools including detecting and
12
GRADUATION PROJECT 2
1.4PROJECT SCOPE
The definition of the scope of this project states that the idea of the project is to explore
the vulnerabilities of the Internet's domain name tunnels system that might serve the
intruders, and to explain the dangerous effects of it. How can the attack be done to make
it possible to provide secure data for the intruder? What are the tools the intruder use
and what are the mitigation techniques we can use to prevent this type of tunneling.
According to [14], for DNS threats, most enterprises are wide-open to real attacks via
this little-known vector; many organizations have little or no monitoring for DNS.
Instead, they focus resources on web or email traffic where attacks often take place
organization.
Because DNS tunneling attacks can be seen in many real-life attacks, there is an
underlying assumption that working in this project is very important in the field of IT
and the project will be a valuable addition to this field and in computer science in
general.
In this project, we will not study the tunneling attacks other than DNS tunneling because
we need a separate different project to study, design and implement the mitigation
techniques for each kind of tunneling attacks. In addition, we cannot test our project by
13
GRADUATION PROJECT 2
In Figure1 below, we have illustrated Gantt graph for the first part (Analysis and
Design) of our project and for the second part of our project (Implementation), as
illustrated in the figure below we notice that the first part will be completed over one
month (from 4/12/2016 to 2/1/2017) and the second part will be completed over three
months (from 16/1/2017 to 18/4/2017), it is divided into twelve main time phases:
The first part of the project is schedule from 12/4/2016 to 1/2/2017, the available time
is approximately 30 days and the second part of the project is schedule from
16/1/2017 to 18/4/2017, the available time is approximately 120 days, which will be
14
GRADUATION PROJECT 2
15
GRADUATION PROJECT 2
DNS, or the Domain Name System, is an integral part of how systems connect with
each other to communicate on the internet. Without DNS, computers, and the people
who use them, would be required to connect using only numerical addresses known as
IP addresses.
numbers for simple tasks, communicating through IP addresses also causes some
servers to different locations would require us to inform every client of the new
location.
DNS servers, the computers that together form the system that allow us to use names
instead of addresses, can server many different functions, each of which can contribute
Some of the differences between DNS servers are purely functional. Most servers that
are involved with implementing DNS are specialized for certain functions. The type
of DNS server we want to choose will largely depend on our needs and the type of our
problem.
16
GRADUATION PROJECT 2
Figure 2 is a tree showing, as an example, the different levels of the domain name
system. The top level, or root level, are the main record keepers for the internet. The
root servers keep records related to the level directly below them (.com, .net, etc). Each
level keeps records for the level directly below them. In addition, these are the most
17
GRADUATION PROJECT 2
When a client program wants to access a server by its domain name, it must find out
how to translate the domain name into an actual routable address that it can use to
the server.
Some applications, including most web browsers, maintain an internal cache of recent
queries. This is the first place the application will check, if it has this capability, in
order to find the IP address of the domain in question. If it does not find the answer to
its question here, it then asks the system resolver to find out what the address of the
query. The system resolver is the resolving library that your operating system uses to
So generally, a query goes from the client application to the system resolver, where
it is then passed to a DNS server that it has the address for. This DNS server is called
a recursive DNS server [1]. A recursive server is a DNS server that is configured to
query other DNS servers until it finds the answer to the question. It will either return
the answer or an error message to the client (the system resolver in this case, which
will, in turn, pass it to the client application), Figure 3 show how the recursive DNS
servers work.
18
GRADUATION PROJECT 2
1: The Client asks the local DNS Server (which is a Recursive DNS server) for the
2: The Recursive DNS server querys the Root DNS servers, asking for the DNS
3: The root DNS server responds with information for the .com DNS servers.
4: The Recursive DNS server querys the .com DNS servers, asking for the DNS
5: The .com DNS server responds with information for the university.com DNS
servers.
6: The Recursive DNS server querys the university.com DNS servers, asking for
7: The university.com DNS server responds with the requested value for
www.university.com
19
GRADUATION PROJECT 2
8: The Recursive DNS server responds to the clients original request with the
necessary information
The caching DNS servers generally maintain a cache to save information about old
queries, so before sending any new query the server will check this cache first to see
if it already has the answer to the query. If it does not, it will see if it has the address
to any of the servers that control the upper level domain components. So if the request
is for www.university.com and it cannot find that host address in its cache, it will see
if it has the address of the name servers for university.com and if necessary, com. It
will then send a query to the name server of most specific domain component it can
In the example in the Figure 3 above, the root server and the com (second level servers)
are caching servers, the local DNS server (which is a recursive DNS Server) might be
An authoritative-only DNS server is a server that only concerns itself with answering
the queries for the zones that it is responsible for. Since it does not help resolve queries
for outside zones, it is generally very fast and can handle many requests efficiently.
20
GRADUATION PROJECT 2
server will have all of the information about the domain it is responsible for, or
referral information for zones within the domain that have been delegated out to
only server is one that does not handle recursive requests. This makes it a server
only and never a client in the DNS system. Any request reaching an authoritative-
only server will generally be coming from a resolver that has received a referral to
it, meaning that the authoritative-only server will either have the full answer, or
will be able to pass a new referral to the name server that it has delegated
responsibility to.
Does not cache query results? Since an authoritative-only server never queries
other servers for information to resolve a request, it never has the opportunity to
DNS server.
DNS server database consist of a collection of resource records and each of the records
21
GRADUATION PROJECT 2
Address Mapping The record A specifies IP address (IPv4) for given host. A
records (A) records are used for conversion of domain names to
corresponding IP addresses.
IP Version 6 Address The record AAAA (also quad-A record) specifies IPv6 address
records (AAAA) for given host. So it works the same way as the A record and the
difference is the type of IP address.
Canonical Name The CNAME record specifies a domain name that has to be
records (CNAME) queried in order to resolve the original DNS query. Therefore
CNAME records are used for creating aliases of domain names.
CNAME records are truly useful when we want to alias our
domain to an external domain. In other cases we can remove
CNAME records and replace them with A records and even
decrease performance overhead.
Host Information HINFO records are used to acquire general information about a
records (HINFO) host. The record specifies type of CPU and OS. The HINFO
record data provides the possibility to use operating system
specific protocols when two hosts want to communicate. For
security reasons the HINFO records are not typically used on
public servers.
Mail exchanger record The MX resource record specifies a mail exchange server for a
(MX) DNS domain name. The information is used by Simple Mail
Transfer Protocol (SMTP) to route emails to proper hosts.
Typically, there are more than one mail exchange server for a
DNS domain and each of them have set priority.
Name Server records The NS record specifies an authoritative name server for given
(NS) host.
Text records (TXT) The text record can hold arbitrary non-formatted text string.
Typically, the record is used by Sender Policy Framework
(SPF) to prevent fake emails to appear to be sent by us.
22
GRADUATION PROJECT 2
This section presents a comparison of the features, platform support, and packaging of
implementation.
As we mentioned before, there are multiple types of DNS servers. The two principal
roles are recursive DNS servers and authoritative DNS Servers, which may be
server.
There are many DNS server implementations, like AnswerX, BIND, PowerDNS,
2.1.4.1 AnswerX
supporting IPv6. It can be used for DNS firewall functionality, extensive logging, and
a platform for service creation [1]. AnswerX is sold as software working on common
servers. The software is built to process millions of transactions per second on standard
hardware.
2.1.4.2 BIND
BIND is open source software that implements the Domain Name System (DNS)
applications [2]. The name BIND stands for Berkeley Internet Name Domain,
because the software originated in the early 1980s at the University of California at
23
GRADUATION PROJECT 2
Berkeley.
2.1.4.3 PowerDNS
PowerDNS is a DNS server, written in C++ and licensed under the GPL. It runs on
ranging from simple BIND style zone files to relational databases and load
balancing/failover algorithms[3].
Microsoft DNS is the name given to the implementation of domain name system
Recently Windows Server provides several enhancements to the DNS Server service,
like DNSSEC, DNS and DHCP integration and DNS integration with Active Directory
Simple DNS Plus [5] is a DNS server software product that runs on x86 and x64
All options and settings are available directly from a Windows user interface. It
provides wizards for common tasks such as setting up new zones, importing data,
2.1.4.6 YADIFA
24
GRADUATION PROJECT 2
language), with DNSSEC capabilities. Developed by the passionate people behind the
.eu top-level domain, YADIFA has been built from scratch to face todays DNS
challenges, with no compromise on security, speed and stability, to offer a better and
YADIFA has a simple configuration syntax and can handle more queries per second
while maintaining one of the lowest memory footprints in the industry. YADIFA has
one of the fastest zone file load times ever recorded on a name server.
There are a lot of DNS Tunneling Tools which aim to bypass the firewall using the
section we will provide a detailed study about some of the most famous tools like
2.2.1 OzymanDNS
The Ozyman DNS tool [15] is one of the DNS tunneling tool that works on Windows,
MAC and Linux operating systems, it is used to build SSH tunnels over DNS using
the TXT record type, it is build using Perl programming language, and Ozyman DNS
is breakdown into 4 Perl scripts. The server script is named nomde.pl which listen on
a privileged port, the Ozyman Client is used to encode/decode and send response back
to the server using SSH, the used encoding will be Base32, and Figure 4 is what an
25
GRADUATION PROJECT 2
the response come encoded with Base64), as illustrated in Figure 5 a response might
2.2.2 DNScapy
DNScapy [17] is a DNS tunneling tool that works on Windows, MAC and Linux
operating systems. The code is very light and written in Python. It includes a server
and a client. The server can handle multiple clients, DNScapy creates a SSH tunnel
through DNS packets. SSH connection, SCP and proxy socks (SSH -D) are supported.
We can use CNAME records or TXT records for the tunnel. The default mode is
RAND, which uses randomly both CNAME and TXT. DNScapy uses Scapy [18] for
26
GRADUATION PROJECT 2
2.2.3 Heyoka
Heyoka [19] is a Proof of Concept of an exfiltration tool which uses spoofed DNS
The tunnel is up to 60% faster compared to existing tools [19], thats because of the
different encoding that is used in the packets. Heyoka is 100% written in C, which
means that it runs natively without the need of interpreters installed on the machine,
2.2.4 Iodine
Ioadine [20] is DNS tunneling tool that works on Windows, MAC and Linux operating
systems. Ioadine is a piece of software that lets us tunnel IPv4 data through a DNS
server. Erik Ekman and Bjorn Andersson maintain the Iodine application. Iodine is
similar to a client-server application. There is the server executable iodined and the
Iodine creates tunnel interfaces on the client and server. Any traffic can be sent over
2.2.5 DNS2tcp
Dns2tcp [22] is a network tool designed to relay TCP connections through DNS traffic
that works on Windows and Linux operating systems. Encapsulation is done on the
TCP level, thus no specific driver is needed Dns2tcp client does not need to be run
Dns2tcp is composed of two parts: a server-side tool and a client-side tool. The server
27
GRADUATION PROJECT 2
remote service listening for TCP connections. The client listen on a predefined TCP
port and relays each incoming connection through DNS to the final service
2.2.6 DNScat2
DNScat2 [21] Tool that works on Windows, MAC and Linux operating systems. It
with PPP, can be used to set up a virtual private network (VPN). DNScat, can be used
The idea of DNScat was started by NSTX, which performs IP tunneling over DNS.
The functions of the above programs are similar, although they differ in many design
DNScat is a small program, written in the spirit of UNIX tools: small, command line,
flexible, highly configurable and thus powerful. On the other hand, DNScat is written
in Java and uses several open-source libraries, thanks to which DNScat has extremely
There is a DNScat2 Server program which listen to the requests from the DNScat2
Clients, when a new request arrived, a tunnel will be built between the client and the
server, then using this tunnel the client send DNS request to the victim client with the
28
GRADUATION PROJECT 2
wanted command, the DNS request that will be sent using this tunnel with the
following characteristics:
dnscat.025b017e020c936a600a02004031c2c1b5
29
GRADUATION PROJECT 2
Elastic search is a highly scalable open-source full-text search and analytics engine. It
allows us to store, search, and analyze big volumes of data quickly and in near real
Packetbeat is an open source packet analyzer. It monitors the traffic on the network
and indexes the DNS requests and responses into Elasticsearch where aggregations can
Watcher is a plugin for Elasticsearch that provides alerting and notifications based on
There are many use cases for alerting on data collected by Packetbeat such as alerting
when the response times for web requests are above a threshold or when there is spike
in HTTP errors returned by the web servers. Moreover, alerting about applications in
Using Packetbeat, there are many different techniques that can be employed for
detecting such traffic. DNS tunneling utilities must use a new hostname for each
request that leads to a much higher number of hostnames present for the malicious
domains in comparison to legitimate domains, the Figure 9 below show the location
of Packetbeat tool.
30
GRADUATION PROJECT 2
Then the watcher is used, using Elastic search watcher plugin we can create a watch
file that has a set of aggregations to be used as the input to the watch. For example, we
can find the cardinality of the hostnames associated with each second-level domain
(e.g. university.com.).
3.1.2 SNORT
(NIDS) software for Linux and Windows to detect emerging threats. Snort has the
ability to perform real-time traffic analysis and packet logging on Internet Protocol
(IP) networks. Snort performs protocol analysis, content searching and matching.
in use [8].
The program can also be used to detect probes or attacks, including, but not limited to,
overflows, server message block probes, and stealth port scans [9].
According to [10] snort signatures can be created to alert when large number of TXT
DNS requests occurs over a short period of time and also give alerts on multiple large
31
GRADUATION PROJECT 2
DNS requests, or large number of DNS requests going to a single domain. He also
suggests that organizations should implement split DNS. This is where the client side
systems cannot be able to resolve external domains and instead web proxies are used
resolve external domains for web browsing. This is because it prevents external DNS
3.1.3 Splunk
DNS Tunnels will generate thousands upon thousands of requests to a specific domain,
use uncommon recorded types, send keep-alives, or have very long host names.
A tool such as Splunk can help capture and analyze all the DNS data generated by an
analysis.
Splunk can consume almost any type of data. Splunk has many built in field extractions
for common data such as Windows event logs and Apache web logs. A field extraction
is simply a way of normalizing data into common fields, making it easier to analyze.
Example field extractions are time, hostname, IP address, destination, etc. If a prebuilt
field extraction does not exist, the Splunk administrator can write their own. Field
extraction is important because it provides context for an event. One of the most
important field extractions is time. The organization needs to find when an event
occurred. Another important field extraction is the IP address. With Splunk, the
administrator can query the index for X IP addressed during Y timeframe. Field
extractions also make it easier for the analyst to perform statistical analysis on the data.
Splunk offers a Free Enterprise version with a 500-megabyte data limit every 24 hours.
32
GRADUATION PROJECT 2
Some limits of the free license version are no login credentials and real-time alerts.
There are no restrictions on collecting different types of data. Splunk Enterprise has
period. The license size can be as small as one gigabyte and as large as multiple
terabytes.
Splunk by itself is an extremely powerful platform, and by using Splunk apps, Splunk
can be even more powerful. In Splunk, the name app is short for application. A Splunk
app is a prebuilt package for specific functions or a defined data set. For example, a
firewall vendor develops a Splunk App for their firewall platform. The app may
contain prebuilt field extractions, dashboards, reports, lookup tables, and alerts [12].
The Splunk analyst saves time by not having to create the vendor specific elements
themselves. Apps also allow analysts who are not Splunk experts to start extracting
Sometimes there is not a way to retrieve data from an endpoint and send to Splunk. It
could be due to a technical, political, or security issue. Splunk has developed an app
called Splunk Stream. The app collects data directly off the network wire and decodes
it. In the case of analyzing DNS packets, Splunk stream can use a mirror port and
collect all DNS transactions off the network wire. The analyst can then query the data
looking for specific events and then alert or report on them. Stream installs on a Splunk
server and universal forwarder. The universal forwarder is installed as a data collection
agent on servers and does more than just run the Stream app. The universal forwarder
uses the stream technology add-on app, which collects and forwards the data to the
Splunk server. Think of using the universal forward agent as sensors around the
network. The Stream app for the Splunk server contains a collector and dashboards
33
GRADUATION PROJECT 2
3.2 METHODOLOGY
manage.
There are many different SDLC models and methodologies such as Waterfall model,
In the Waterfall model, the whole process of software development is divided into
separate phases. In the Waterfall model, typically, the outcome of one phase acts as
the input for the next phase sequentially, the Waterfall model is a good choice to
34
GRADUATION PROJECT 2
As shown in Figure 10, the Waterfall Model is consist of the following phases:
Design: describes how the proposed system is to be built. The design is specific
to the technical requirements the system will be required to operate in and the
Testing: during this phase all aspects of the system are tested for functionality
and performance.
In our system, we only have one type of users who is the Administrator of the system
who can view and maintain the warnings about DNS tunnels.
35
GRADUATION PROJECT 2
2. The Admin of the System shall be able to show the source of the detected DNS
tunnels.
3. The Admin of the System shall be able to stop the DNS tunnels.
4. The Admin of the System shall be able to choose any Network card of the
machine.
5. The Admin of the System shall be able to view statistics about DNS normal
6. The Admin of the System shall be able to save the DNS traffic at any time.
2. The System shall be fault tolerant (recover from system crashes and
initializations).
attacks.
4. The System shall be able to impose a minimal overhead on the system where
it is running.
5. The System shall be able to detect and prevent a large number of DNS tunnels
There are multiple detection techniques to find DNS tunnels. The two main detection
techniques are payload analysis and traffic analysis. Payload analysis comprises of
36
GRADUATION PROJECT 2
various techniques such as the size of a DNS request and response, the entropy of the
Fully Qualified Domain Name (FQDN), statistical analysis, infrequent record types,
include geographic locations of DNS servers, in this section we will provides a more
One of easiest ways to detect DNS tunneling is to determine which systems are valid
DNS servers and block any other DNS service. The organizations security policy
should dictate what DNS servers are accessible to the hosts on the local network.
Forcing all clients to use a restricted set of DNS servers helps narrow where DNS
A company offering services on the Internet wants to make it easy for consumers to
access their services. It makes sense that companies will use a DNS name that is easy
to remember and as short as possible. Analyzing the length of the FQDN can help
determine which domains are malicious. There could be millions if not billions of DNS
calculating the standard deviation. [13]. the standard deviation formula can show what
The most common record types for DNS are A, PTR, MX, CNAME, TXT, NS, and
SOA records. Infrequent record types are AAAA, AXFR, and DNSKEY. The Sender
37
GRADUATION PROJECT 2
Policy Framework (SPF) relies on TXT record types to reduce email spam. TXT record
requests should only be coming from network hosts that require this type of lookup. If
TXT records are increasing and not coming from a valid source such as a mail gateway,
this is a red flag. The analyst should investigate the event further.
Entropy describes the randomness of a string. In the case of DNS names, Domain
asasdlfkjasdflwerjka.t1.security.local.
The more randomness in the string creates a higher the entropy. The less randomness,
There are different formulas for entropy. The most common entropy formula for this
use case is related to computer science and was developed by Claude Shannon [24].
Similar to finding rare record types such as Null and SRV, just performing a simple
count of top domains can detect a tunnel. Parsing out the hostname and subdomains
from the FQDN allows the analyst to perform additional metrics. The newly parsed
fields could be the hostname, subdomain name, the domain name, or the top level
domain. Since a tunnel will create a tremendous amount of DNS requests when
transferring a file, one can assume a simple count may result in outliers.
38
GRADUATION PROJECT 2
Another way to detect unwanted DNS requests is to see where in the world the requests
are forwarding. The analyst should investigate DNS requests resolving to DNS servers
outside the organizations geographic area. If the organization does not conduct
business in X country, does it make sense for DNS requests to be going there?
39
GRADUATION PROJECT 2
In this section we provide the following table which compare this implementations
according to the authoritative type support, recursive type support, caching, IPv6
support, used Interface, whether it is free or not and supported operating systems.
Line, API
, MAC
Line, Web, s
GUI
Line, Web, s
GUI
Line MAC
40
GRADUATION PROJECT 2
In our project, we want to run a DNS implementation on several DNS server, which
we need it to support authoritative type, caching and recursive type and we want to run
it on a Linux machine, BIND is by far the most widely used DNS software on the
Internet, providing a robust and stable platform on top of which organizations can build
distributed computing systems with the knowledge that those systems are fully
BIND is transparent open source. Which has evolved to be a very flexible, full-featured
DNS system. Whatever the application is, BIND most likely has the features required,
In the most common application, a web browser uses a local stub resolver library on
the same computer to look up names in the DNS. That stub resolver is part of the
operating system. (Many operating system distributions use the BIND resolver
library.) The stub resolver usually will forward queries to a caching resolver, a server
or group of servers on the network dedicated to DNS services. Those resolvers will
send queries to one or multiple authoritative servers in order to find the IP address for
41
GRADUATION PROJECT 2
about the domain names it is authoritative for. We can provide DNS services on the
domain names.
The research in [23] tested all network configurations in terms of all metrics. Each test
has been repeated several times. Due to the lack of space, it provide a summary with a
global evaluation of the performance of each tool, without detailing the test results.
The previous tests allow recognizing a unique set of characteristics for each tool in
term of performance:
Iodine. Iodine is the only tool showing a linear behavior in all metrics and all
42
GRADUATION PROJECT 2
Figure 11 [23] shows the average throughput in direct configuration, thus evaluating
Iodine and Dnscat2. Both tunnel applications can bypass upstream DNS servers for
outbound. By not having to send requests through the DNS infrastructure, data transfer
rates are even faster, because of its popularity and the easiness of install and maintain
we choose the DNScat2 as the DNS Tunneling tool we want to use in our project.
43
GRADUATION PROJECT 2
After the Analysis study of DNS tunnels mitigation techniques, we decided to use the
many cases the domain name are logical and make sense, while the encoded hostnames
that are generated by DNS tunneling tools are random so the entropy value of it will
be bigger than the entropy value of the normal domain name, the normal entropy of
the hostname should be between 2.0 and 4.0 [25], we can use Shannon Entropy
Algorithm to calculate this value which we will see in the implementation phase, The
Following table show some examples of some hostname and its entropy values:
www.google.com 2.84237
www.svuonline.org 3.45482
www.yahoo.com 2.81507
www.microsoft.com/en-us/windows 3.78114
www.apple.com/mac-mini/macos/ 3.65041
www.ghftyha76fdhkp76t319jajk.com 4.20281
Dnscat.54fghy67ujhg67865fh87 4.01219
44
GRADUATION PROJECT 2
www.google.com is 2.84237, while the entropy value of the domain name that is
DNS Server
45
GRADUATION PROJECT 2
Figure 13 below shows the system to detect this type of attacks and to prevent them
Our System
6) send a warning to Firewall
DNS Server
This use case diagram describe DNS Tunneling Detection and Prevention system,
these are the primary function of the system for the Administrator, the person
46
GRADUATION PROJECT 2
captured from the Network adapter, then we only take the DNS packets, Analyze the
packets using the mitigation techniques and detect the suspected tunnels and show it
1. Listening: Capturing all the packets that transfer from and to a specific network
2. Analyzing: The program must be capable of analyze and show the captured
packets using the main GUI interface and to detect the IP source of the tunnel.
The Analyzing of the packets should use the DNS packet fields:
a. Source IP
b. Source Port
c. Destination IP
d. Destination Port
e. Length
h. Answer IP
j. Query TTL
k. Answer TTL
3. Tunnel Prevention: communicate with the firewall to stop the tunnel using the
48
GRADUATION PROJECT 2
The system GUI have to be clear and easy to use and which have this specification
The user shall be able to select any network adapter of its machine.
The program should show the captured DNS packets with its information
The user shall be able to permit or prevent the packets of certain IP.
As we mentioned before, the major phases of the DNS Detector system are:
The capturing part is the most important part of the system. After the selection of the
network card the capture will be started between the host and the network connected
to it. We need to filter those packets and only capture the transmitted and received
DNS packets, which are the UDP packets with the port 53.
The system should show this packets to the user and should also start of captured
The next phase is to analyze the captured packets in the previous phase in order to
detect any DNS Tunnel, as we mentioned in the analysis phase we will depend on 3
ways to detect a DNS Tunnel, which are Entropy of Hostname calculation, Analyzing
49
GRADUATION PROJECT 2
each of the captured packets and define a threshold of this value. We choose the 4.0
value as the highest value of the host entropy. And we will alert the user when the
entropy of the hostname is bigger than 4 and we decided to use Shannon Entropy
The Analysis phase showed that the DNS tunnels tools like DNSCat use the TTL value
64, so we will monitor the TTL Field and alert the user about the number of DNS
The Analysis phase showed that the DNS tunnels tools like DNSCat use the DNS
types: TXT, CNAME and MX, and Especially the TXT type, which isn't normally
used so we will monitor the TXT type and alert the user about the number of DNS
The System should apply each of the three rules to detect every tunnel and show the
After DNS tunnel detecting, we show the source IP of the tunnel and provide the user
with the ability of forbid or permit this tunnel. By communicating with the Windows
Firewall.
With the increasing advanced in the technology world, especially in the IT and
One of the best examples is C# programming language and its .Net Framework
5.3.1 C#
C# syntax is highly expressive, yet it is also simple and easy to learn. The curly-brace
Developers who know any of these languages are typically able to begin to work
inheritance, and polymorphism. All variables and methods, including the Main
method, the application's entry point, are encapsulated within class definitions. A class
51
GRADUATION PROJECT 2
may inherit directly from one parent class, but it may implement any number of
interfaces.
The C# build process is simple compared to C and C++ and more flexible than in Java.
There are no separate header files, and no requirement that methods and types be
declared in a particular order. A C# source file may define any number of classes,
computer science approaches such as networking, security, image processing and more
using an already build reliable classes and functions located in available libraries
includes a virtual execution system called the common language runtime (CLR) and a
unified set of class libraries. The CLR is the commercial implementation by Microsoft
of the common language infrastructure (CLI), an international standard that is the basis
for creating execution and development environments in which languages and libraries
Source code written in C# is compiled into an intermediate language (IL) that conforms
to the CLI specification. The IL code and resources, such as bitmaps and strings, are
.exe or .dll. An assembly contains a manifest that provides information about the
When the C# program is executed, the assembly is loaded into the CLR, which might
take various actions based on the information in the manifest. Then, if the security
requirements are met, the CLR performs just in time (JIT) compilation to convert the
52
GRADUATION PROJECT 2
IL code to native machine instructions. The CLR also provides other services related
to "unmanaged code" which is compiled into native machine language that targets a
specific system. The following diagram illustrates the compile-time and run-time
relationships of C# source code files, the .NET Framework class libraries, assemblies,
(CTS), IL code generated from C# can interact with code that was generated from the
.NET versions of Visual Basic, Visual C++, or any of more than 20 other CTS-
different .NET languages, and the types can reference each other just as if they were
In addition to the run time services, the .NET Framework also includes an extensive
library of over 4000 classes organized into namespaces that provide a wide variety of
useful functionality for everything from file input and output to string manipulation to
XML parsing, to Windows Forms controls. The typical C# application uses the .NET
53
GRADUATION PROJECT 2
web sites, web applications and web services. Visual Studio uses Microsoft software
PcapDotNet Library is a .NET wrapper for WinPcap written in C++/CLI and C#,
which features almost all WinPcap features and includes a packet interpretation
framework.
Packet capturing (or packet sniffing) is the process of collecting all packets of data that
pass through a given network interface. Capturing network packets in our applications
is a powerful capability which lets us write network monitoring, packet analyzers and
security tools. The libpcap library for UNIX based systems and WinPcap for Windows
are the most widely used packet capture drivers that provide API for low-level network
monitoring. Among the applications that use libpcap/WinPcap as its packet capture
54
GRADUATION PROJECT 2
the fields name and description contain the name and a human readable description of
the device.
The following code retrieves the adapter list and shows it on the screen, printing an
using System;
using System.Collections.Generic;
using PcapDotNet.Core;
namespace ObtainingTheDeviceList
{
class Program
{
static void Main(string[] args)
{
// Retrieve the device list from the local machine
IList<LivePacketDevice> allDevices =
LivePacketDevice.AllLocalMachine;
if (allDevices.Count == 0)
{
Console.WriteLine("No interfaces found! Make sure WinPcap is
installed.");
return;
}
55
GRADUATION PROJECT 2
Second, not all the OSes supported by libpcap provide a description of the network
interfaces, therefore we must consider the case in which description is null: we print
First of all, for our program to work on any computer, we should install WinPcap
After the installation process we should add the pcapdotnet dll files to the references
of our project, first of all we press the right button of mouse on references and get the
following list
56
GRADUATION PROJECT 2
PcapDotNet.Analysis.dll
PcapDotNet.Base.dll
PcapDotNet.Core.dll
PcapDotNet.Packets.dll
57
GRADUATION PROJECT 2
58
GRADUATION PROJECT 2
The function that opens a capture device is Open(). The parameters are
OSes (like xBSD and Win32), the packet driver can be configured to
capture only the initial part of any packet: this decreases the amount of data
capture. In this case we use the value 65536 which is higher than the
greatest MTU that we could encounter. In this manner we ensure that the
attributes: the most important flag is the one that indicates if the adapter
captures packets from the network that are destined to it; the packets
exchanged by other hosts are therefore ignored. Instead, when the adapter
project.
available from the network. readTimeout also defines the interval between
59
GRADUATION PROJECT 2
arrive. A -1 timeout on the other side causes a read on the adapter to always
return immediately.
Using PcapDotNet, we will capture the UDP packets with the port 53 (DNS packets)
When we have packets from the same source (source IP address) and match
one of the previous condition and Exceed 20 packets, the user will be alerted
We define three types of datagrams: IP, UDP and DNS to analyze the packets
a. Source IP
b. Source Port
c. Destination IP
d. Destination Port
e. Length
60
GRADUATION PROJECT 2
h. Answer IP
j. Query TTL
k. Answer TTL
We define the function that calculate the entropy of the function using
61
GRADUATION PROJECT 2
1) Network Adapter
The program read the Network Adapters of the host and add it to the Adapters_List
62
GRADUATION PROJECT 2
2) Start Listening
The user can click on the "Start" button, then the program will start the listening phase,
An error message will appear if, the user didn't choose any network Adapter.
63
GRADUATION PROJECT 2
Source Port
Destination Port.
Query Type.
Answer Type.
Query TTL.
Answer TTL.
Hostname Entropy.
64
GRADUATION PROJECT 2
5) Clear Table
6) Save Capture
The user can click on the "Save Capture" button, then the program will call
SaveCapture() function which save the packets in a csv (comma separated value) file.
65
GRADUATION PROJECT 2
66
GRADUATION PROJECT 2
This table show the Suspected Tunnel IP to the user with the exceeded thresholds.
67
GRADUATION PROJECT 2
Figure32 Block IP
Figure33 Unblock IP
68
GRADUATION PROJECT 2
9) Block/Unblock Button
The user can click on the "Block" button, then the program will create a Firewall Rule
Outbound Rule.
Protocol: UDP.
Port: 53.
Action: Block
Which block the DNS traffic (port 53) from the specified IP.
Block Command:
netsh advfirewall firewall add rule name=\TunnelBlock-{0}\
dir=out interface=any protocol=udp remoteport=53 action=block
remoteip={0}, IP
Unblock Command:
netsh advfirewall firewall delete rule name=\TunnelBlock-{0}\,IP
An error message will appear if, the user didn't choose any IP from the table.
69
GRADUATION PROJECT 2
70
GRADUATION PROJECT 2
The File menu provide the User with three different options
New: Close the current Window and open a new Window, a message to save
71
GRADUATION PROJECT 2
Chapter 6. TESTING
Virtual Machine VM1, hosted in the PC1 and has Windows 7 operating
System.
Virtual Machine VM2, hosted in the PC1 and has Linux Ubuntu operating
System.
"DNS Shield" is used to capture the traffic and detect the tunnel.
72
GRADUATION PROJECT 2
6.2 Tests
In this test we want to evaluate the ability of our program to detect a DNS Tunnel, we
have the PC1, which is located between VM1 which have the DNSCat2 Client and
DNScat2 Server.
1. Environment Setup
(from https://zeltser.com/c2-dns-tunneling/).
apt-get update
73
GRADUATION PROJECT 2
cd dnscat2/server
bundle install
update _rubygems
3. To create the DNS Tunnel, we execute the following command using root
privileges
ruby ./dnscat2.rb
4. After that the Server will start listening to the port of DNS (53) and wait
74
GRADUATION PROJECT 2
5. After any client open a new connection with the server, the latter will open
And a random text will appear at the server side and the client side.
6. In case of an error message that show that the port is taken when we are
75
GRADUATION PROJECT 2
This means that we have an old process that is listening on the port 53 and we
should search about process ID (PID) and end this process, to find the process
Netstat lnp
Kill -9 12362
76
GRADUATION PROJECT 2
The type of the host is "NAT", and the IP Address is generated automatically from the
DHCP Server, "NAT" means that the IP of the host will be translated to the IP of the
As show in the figure below, the VM1 host get the IP address 192.168.50.10 with the
77
GRADUATION PROJECT 2
Figure43 VM1 IP
Now we can ping any outside IP as Example we ping the well-known IP the DNS
cd desktop
78
GRADUATION PROJECT 2
The connection now is established and we notice that the same random text is
generated at the client machine, which use the port 53 and the IP 192.168.1.104 using
After the two previous steps, the DNS Tunnel will be established, in this step
79
GRADUATION PROJECT 2
We run our program "DNS Shield" and start listening on Wireless Network Adapter
The network of the host is Natted, so the send and received packets will be have the IP
192.168.1.103, the figure above show that we have some packets that are transmitted
between PC1 and PC2 (192.168.1.104) with random domain names in the Queries and
in the responses and we have a lot of TXT DNS Type messages and we also have the
80
GRADUATION PROJECT 2
The program can distinguish between the client and the server because the server send
When the IP Address of the tunnels appears, the user could block this IP
81
GRADUATION PROJECT 2
The block process will add a new Firewall Rule to stop all the packets from the server
Block
Firewall properties
The IP
Address of
the Server
83
GRADUATION PROJECT 2
UDP 53
When we block the IP, the client will retry to connect to the server but the server won't
In this way our program manage to detect and prevent the DNS Tunnel
84
GRADUATION PROJECT 2
The user can unblock the IP after blocking it by clicking on the "unblock" button which
The purpose of this test is to simulate a real network, which will have PCs that generate
normal DNS Requests (without any tunnel) and the PC which will generate the tunnel.
85
GRADUATION PROJECT 2
The virtual machine of Normal DNS requests is installed with Ubuntu operating
To implement this mission we write the DNSTester program which read the
Domain Names from a text file (domains.txt) and execute the "nslookup" for each
namespace DNSTester
{
class Program
{
public static int interval = 1;
[STAThread]
static void Main(string[] args)
{
Begin:
Console.WriteLine("Enter interval in seconds");
try { interval = Convert.ToInt32(Console.ReadLine()); }
catch { goto Begin; }
Console.WriteLine("Would you like to repeat when all hosts were
checked? (y/n)");
bool repeat = Console.ReadLine().ToLower() == "y" ? true :
false;
OpenFileDialog fd = new OpenFileDialog();
//fd.ShowDialog();
if (fd.ShowDialog() == DialogResult.OK) {
Loop:
foreach (var line in File.ReadAllLines(fd.FileName)) {
Console.WriteLine(line + " => " +
Dns.GetHostAddresses(line)[0].ToString());
Thread.Sleep(interval * 1000); }
if (repeat)
goto Loop; }
}
}
}
86
GRADUATION PROJECT 2
3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
/etc/apt/sources.list.d/mono-xamarin.list
We will use the command "mono DNSTester.exe ", which give the user the choice
of the time interval between two different queries and the choice of repetition and
ask the user about the text file that have the domain names.
87
GRADUATION PROJECT 2
88
GRADUATION PROJECT 2
By using our program DNS Shield on the PC1 to capture the traffic of the program
After we run the DNSTester program, we run the tunnel like the previous test
89
GRADUATION PROJECT 2
The program start listening on the Wireless Network Adapter, we notice the DNS
90
GRADUATION PROJECT 2
91
GRADUATION PROJECT 2
After we block the source of the tunnel (192.168.1.104), it will stop the packets from
the source while we still have the packets from the Normal source
So our program could find and stop the up normal tunnel while he allow the normal
In the ISPs, the Telecommunication companies, banks and any big company, there are
a lot of users, so we need to use a firewall to separate the users of the company from
As Example we have the IPtables firewall in the Linux based operating system and the
Microsoft Internet Security & Acceleration Server in the Windows based operating
system.
92
GRADUATION PROJECT 2
As Example we have ISA Server which is located between the users and the Internet
and which control the access to the internet from the inside of the network and the
access to the inside of the network from the Internet by defining the suitable rules and
ISA Server can host a program like our program "DNS Shield" which can run as we
93
GRADUATION PROJECT 2
7.1 SUGGESTION
The suggestions to this project are to make an update, to add something new or avoid
the unwanted malicious attacks or avoid the hackers from destroying, stealing my
informations. Taking feedback from project administrator. See what other tunneling
attacks work and improve our application to detect and prevent them as well.
7.2 CONCLUSION
In this report, we introduced the project backgrounds, project goals and project
organization, a literature review of the DNS service and DNS tunneling tools, project
analysis and project design which will be properly used to implement the project in the
Implementation phase.
94
GRADUATION PROJECT 2
BIBLIOGRAPHY
[1] Akamai Technologies, Inc. (2015, July), Carrier-Grade Advanced Recursive DNS,
https://www.akamai.com/us/en/multimedia/documents /white-paper/akamai-carrier-
grade-advanced-recursive-dns-white-paper.pdf
https://doc. powerdns.com/md/
[4] Microsoft.COM (2014, July 3), Domain Name System (DNS) Overview [Online].
Available: https://technet.microsoft.com/en-us/network/bb629410.aspx
[5] Simple DNS PLUS (2013), Simple DNS PLUS help overview [Online]. Available:
http://www.simpledns.com/help/v52/
[6] YADIFA official Website (2016), YADIFA Reference manual version 2.2.1
[7] Elasticsearch Inc. (2016), Elasticsearch Reference [5.0] Getting started [Online].
Available: https://www.elastic.co/guide/en/elasticsearch/reference/current/getting-
started.html
[8] SNORT Users Manual 2.9.8.2 (March 18, 2016), the Snort Project [Online].
Available: https://s3.amazonaws.com/snort-org-
site/production/document_files/files/000/000/100/
original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expir
es=1481074039&Signature=UCgwFPIssHYFGirFDyWi4EzMyCM%3D.
95
GRADUATION PROJECT 2
[9] Mohan Krishnamurthy; et al. (2008). "4. Introducing Intrusion Detection and
Snort". How to Cheat at Securing Linux. Burlington, MA: Syngress Publishing Inc.
Retrieved 2010-06-24.
[10] Miller, T. (2005). Reverse DNS Tunneling Staged Loading Shellcode. [Online].
Available:
www.blackhat.com/presentations/bh-usa-
08/Miller/BH_US_08_Ty_Miller_Reverse_DNS _Tunneling_Shellcode.pd
https://www.splunk.com/web_assets/pdfs/secure/Splunk_and_ MapReduce.pdf
[12] Splunk. (n.d.). Build Splunk apps. Retrieved May 14, 2016, from dev.splunk.com:
http://dev.splunk.com/view/get-started/SP-CAAAESC
[13] Brant, S., & Kovar, R. (2015). Detecting DNS Spoofing, DNS Tunneling, DNS
https://github.com/rkovar/dns_detection/blob/ master/known_unknown_DNS.pdf
[14] Rasmussen, R. (2012, April 03). Do you know what your DNS resolver is doing
whatyour-dns-resolver-doing-right-now
[15] Dan Kaminsky (2004, July 29). OzymanDNS Tool release [online]. Available:
https://dankaminsky.com/?s=ozymanDNS
[16] IVC Wiki (2009, September 16). Socks via SSH over DNS [Online]. Available:
http://beta.ivc.no/wiki/index.php/DNS_Tunneling
96
GRADUATION PROJECT 2
http://www.itec-sde.net/en/applications/dnscapy
[18] Security Power Tools (2007, August). Scapy Tool overview [Online]. Available:
[http://www.secdev.org/projects/scapy/
http://heyoka.sourceforge.net/#documentation
[20] Ekman, E., & Andersson, B. (2014, June). Manpage of Iodine [Online]. Available:
http://code.kryo.se/iodine/iodine_manpage.html#index
[21] Ron Bowes (2004), DNScat Utility official documentation [Online]. Available:
http://tadek.pietraszek.org/projects/DNScat/
http://www.hsc.fr/ressources/outils/ dns2tcp/index.html.en
[24] Kovar, R. (2015, October 1). Blogs: Security Random Words on Entropy and DNS.
and-dns/
[25] SANS ISC InfoSec Forums, Detecting Random - Finding Algorithmically chosen
Available:https://isc.sans.edu/forums/diary/Detecting+Random+Finding+
Algorithmically+chosen+DNS+names+DGA/19893/
97