When a user configures the DNS2TCP and starts an SSH session, the DNS2TCP client software will encapsulate SSH payloads into multiple subdomains on the pre-configured public tunneling domain and send these DNS subdomain requests to DNS server. Start DNS2TCP client from the laptop (in our setup, the IP address is 192.168.212.71), which has a default DNS server configuration (in our setup, the IP address is 192.168.212.11).Once a public domain is configured and DNS2TCP software is installed, we can start DNS2TCP tool to run SSH/POP/SMTP or any other applications.įigure 1 shows the detailed steps on how DNS2TCP works. Like most tunneling technologies, DNS2TCP requires a public domain which can be used for the DNS tunneling. 1 DNS2TCP Test-bed Setup 1.1 How DNS2TCP works DNS2TCP is one of data exfiltration tools that supports SSH, SMTP, POP and other TCP connections over DNS protocol. In this blog, I will show my work on one of the DNS tunneling tools, DNS2TCP, to explain how DNS tunneling works and analyze its network traffic pattern/behaviors. They can do data exfiltration by relaying TCP connections over DNS, which is hard to detect and block. Although most DNS Tunneling tools are implemented in different languages and/or may have different features and settings, they share the same concept and achieve the same goal, which is trying to bypass the traditional IPS or firewall inspection and network security policy to reach the Internet. In the past few years, I did some in-depth research and analysis on many popular DNS tunneling tools including DNS2TCP, TCP-over-DNS, OzymanDNS, Iodine, SplitBrain, DNScat-P/DNScat2, DNScapy, TUNS, PSUDP, YourFreedom etc.
0 Comments
Leave a Reply. |