DNS Tunneling
How does DNS tunneling works? It’s a step-by-step process that relies on the openness of DNS to carry other traffic without detection. Here’s how it works, step by step: The attacker registers a domain The domain, like badsite.com, is controlled by the attacker and points to a server they own. The attacker infects a computer They use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel. The client sends a DNS query The infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request. The query reaches the DNS resolver The DNS resolver forwards the request to the appropriate servers to resolve the domain name. The attacker’s server decodes the request The attacker’s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses. The server encodes a response The attacker’s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out. The client receives and decodes the response The infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed. The process repeats as needed If the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response. Attackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets. ...