DNS Tunneling for Network Penetration

  • Daan Raman
  • Bjorn De Sutter
  • Bart Coppens
  • Stijn Volckaert
  • Koen De Bosschere
  • Pieter Danhieux
  • Erik Van Buggenhout
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7839)


Most networks are connected to the Internet through firewalls to block attacks from the outside and to limit communication initiated from the inside. Because of the limited, supposedly safe functionality of the Domain Name System protocol, its traffic is by and large neglected by firewalls. The resulting possibility for setting up information channels through DNS tunnels is already known, but all existing implementations require help from insiders to set up the tunnels. This paper presents a new Metasploit module for integrated penetration testing of DNS tunnels and uses that module to evaluate the potential of DNS tunnels as communication channels set up through standard, existing exploits and supporting many different command-and-control malware modules.


domain name system tunneling Metasploit network penetration 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amon, C., Shinder, T.W., Carasik-Henmi, A.: The Best Damn Firewall Book Period, 2nd edn. Syngress Publishing (2007)Google Scholar
  2. 2.
  3. 3.
    Beardsley, T.: Weekly Metasploit Update: DNS payloads, Exploit-DB, and More. Rapid7 Blog Post (March 2012),
  4. 4.
    Binsalleeh, H., Youssef, A.: An implementation for a worm detection and mitigation system. In: Proc. 24th Biennial Symposium on Communications, pp. 54–57 (June 2008)Google Scholar
  5. 5.
    Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. In: Proceedings of the 9th Annual Security Conference (April 2010)Google Scholar
  6. 6.
  7. 7.
    Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: Proc. 7th IEEE Int. Conf. on Computer and Information Technology, pp. 715–720 (2007)Google Scholar
  8. 8.
    Di Pietro, R., Mancini, L.V.: Intrusion Detection Systems, 1st edn. Springer Publishing Company, Incorporated (2008)Google Scholar
  9. 9.
    Fewer, S.: Reflective DLL injection. Technical Report, Harmony Security (2008)Google Scholar
  10. 10.
    ICANN Security and Stability Advisory Committee: SSAC advisory on fast flux hosting and DNS (2008)Google Scholar
  11. 11.
    Kaminsky, D.: OzymanDNS,
  12. 12.
  13. 13.
    Levine, J.: Linkers & Loaders. Morgan Kaufmann Publishers (2000)Google Scholar
  14. 14.
    Microsoft Corporation: ASCII and hex representation of NetBIOS names,
  15. 15.
    Mockapetris, P.: RFC 1034 Domain Names - Concepts and Facilities. The Internet Engineering Task Force, Network Working Group (November 1987)Google Scholar
  16. 16.
    Mockapetris, P.: RFC 1035 Domain Names - Implementation and Specification. The Internet Engineering Task Force, Network Working Group (November 1987)Google Scholar
  17. 17.
    Nazario, J., Holz, T.: As the net churns: Fast-flux botnet observations. In: Proc. 3rd International Conference on Malicious and Unwanted Software, pp. 24–31 (October 2008)Google Scholar
  18. 18.
    Postel, J.: RFC 768 User Datagram Protocol. The Internet Engineering Task Force (August 1980)Google Scholar
  19. 19.
    Rapid7: Metasploit framework,
  20. 20.
    Rapid7: Metasploit pro user guide,
  21. 21.
    Rebane, J.C.: The Stuxnet Computer Worm and Industrial Control System Security. Nova Science Publishers, Inc., Commack (2011)Google Scholar
  22. 22.
    Shin, H.J.: A DNS anomaly detection and analysis system. NANOG 40 (June 2007)Google Scholar
  23. 23.
    “skape”, Turkulainen, J.: Remote library injection. Technical Report, nologin (2004)Google Scholar
  24. 24.
    The SPF Council: Sender policy framework,
  25. 25.
    van der Heide, H., Barendregt, N.: DNS anomaly detection. Technical Report, Universiteit van Amsterdam (2011)Google Scholar
  26. 26.
    Villamarin-Salomon, R., Brustoloni, J.: Identifying botnets using anomaly detection techniques applied to DNS traffic. In: Proc. 5th IEEE Consumer Communications and Networking Conference, pp. 476–481 (January 2008)Google Scholar
  27. 27.
    Whang, Z., Tseng, S.S.: Anomaly detection of domain name system (DNS) query traffic at top level domain servers. Scientific Research and Essays 6(18), 3858–3872 (2011)Google Scholar
  28. 28.
    Whyte, D., Kranakis, E., van Oorschot, P.: DNS-based detection of scanning worms in an enterprise network. In: Proc. of the 12th Annual Network and Distributed System Security Symposium, pp. 181–195 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Daan Raman
    • 1
  • Bjorn De Sutter
    • 1
  • Bart Coppens
    • 1
  • Stijn Volckaert
    • 1
  • Koen De Bosschere
    • 1
  • Pieter Danhieux
    • 2
  • Erik Van Buggenhout
    • 2
  1. 1.Computer Systems LabGhent UniversityBelgium
  2. 2.ITRA FSOErnst & YoungBelgium

Personalised recommendations