DNSteal: Data Exfiltration and Tunneling via DNS – Techniques and Detection

Posted on 2023-05-06 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]A security topic that was not really on my radar: data theft through manipulation of the Domain Name System (DNS). The whole thing goes under the terms DNSteal and DNS Exfiltration. Roughly speaking, these are techniques that can be used to tunnel firewalls and exfiltrate (steal) data via redirected DSN servers.

Advertising

Data Exfiltration through DNS Exfiltration

Especially for enterprises, there is a risk of data being siphoned off from the corporate network without being noticed. IT does try to block a data outflow through firewalls and other security measures. But hackers are looking for ways to abuse the DNS (Domain Name System) for their own purposes.

Advice from Akamai

Security vendor Akamai has am article DNS: The Easiest Way to Exfiltrate Data? on the topic, which describes the various ways attackers abuse DNS. These include DNS tunneling (high throughput) and DNS exfiltration (low throughput).

Attackers take advantage of 'the fact that most companies do not interfere with DNS traffic due to its critical role, according to Akamai. Therefore, in the two variants mentioned above, the DNS protocol is used to exfiltrate data. In each case, the attackers add data to DNS requests that has nothing to do with the request.

  • In high-throughput DNS tunneling, DNS queries run to one or more target domains, which then pull that data and forward the actual DNS queries to a DNS server. Akamai lists DNS tunneling to bypass a WLAN paywall as a harmless variant and communication with a command and control [C2] server as a more harmful variant. DNS tunneling, according to the security vendor, should be easy to detect and block due to the volume of data involved.
  • Low-throughput DNS data exfiltration becomes more difficult to detect because there is no significant increase in throughput for DNS queries to individual domains. For example, a malware-infected endpoint may only be active every hour, sending a DNS query with a short message attached to its C2 server.

The latter method is probably very popular among attackers for disguising communication with certain domains. Valuable data (e.g. credit card data) can often be smuggled out undetected in this way.

What is DNSteal?

The second term I came across in this context is DNSteal – a combination of DNS and steal. FortiGuard describes it in its IPS Threat Encyclopedia as "DNSteal is a tool that can tunnel data over DNS to bypass firewall policy." On GitHub here is a tool called DNSteal 2.0, which acts as a fake DNS server designed to allow testers to secretly extract files from a victim computer via DNS queries.

Advertising

An Article explaining it all

I had already written within my German blog several times about products from Helge Klein like his tool SetACL and Delproof2, or his Splunk plugin uberAgent (see my German article IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Ergänzung für EDR-Produkte). Helge Klein is a software developer, former MVP colleague and founder of the company vast limits GmbH. In August 2022 I had reviewed his product uberAgent Endpoint Security Analytics (ESA) and asked him if he has something new, that's interesting to let me know.

Helge pointed me some time ago to his blog post DDNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup published in February 2023, which addresses the issues touched on above. In the article in question, he describes how DNS queries can be abused to pull data from an enterprise network using the techniques outlined above. The article also mentions the Python script DNSteal and describes a demo setup and data exfiltration with this tool.

Detect/Prevent DNS Exfiltration

The question facing administrators in enterprises: "How can I detect and prevent exfiltration of data from the corporate network via DNS requests?" In August, in the German article IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Ergänzung für EDR-Produkte, I had introduced uberAgent, developed by Helge Klein. It is a solution that provides the IT department with the information it needs for monitoring as well as potential security incidents. The uberAgent ESA product featured in the article runs on macOS as well as Windows systems and has Splunk integration.

From the article, I knew that Helge Klein was busy further developing his tool and addressing various security issues. On the above topic of DNS exfiltration, he has integrated DNS exfiltration & tunneling detection in uberAgent 7.1. He describes the features in question in his blog post uberAgent 7.1 Preview: DNS Exfiltration & Tunneling Detection.

Detect DNS exfiltration with uberAgent ESA & Splunk

The above YouTube video demonstrates the use of uberAgent 7.1 to detect DNS exfiltration by DNSteal. I introduced the uberAgent tool and its integration with Splunk in the blog post T-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Ergänzung für EDR-Produkte. In this post you can also find a possibility to request evaluation and community licenses for testing.

Note: The blog post IT-Sicherheit: uberAgent Endpoint Security Analytics (ESA), Monitoring und perfekte Ergänzung für EDR-Produkte is a sponsored post marked accordingly. The above post, however, is not a sponsored post – I had asked Helge Klein to inform me about recent developments at uberAgent. Maybe the topic is of interest for one or the other blog reader.

Advertising
This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).