This video explores how malicious actors utilize DNS tunneling to bypass security defenses by exploiting the DNS protocol on Port 53. The process involves sending and receiving data through host or subdomain fields using various DNS record types like TXT, MX, and NULL. In the first scenario, a Windows environment is used to demonstrate how attackers use a DNS cat server and Powershell to establish a command and control connection. By controlling an authoritative server, the attacker can manipulate system data and execute commands in memory, effectively evading firewalls that normally block everything except common web protocols.
The second scenario focuses on a hybrid network using Linux machines and the Iodine tool, which establishes a full VPN via the DNS protocol. Unlike simpler shell sessions, Iodine creates a new network interface and allows for encrypted communication, making it a highly evasive technique for bypassing local and cloud-based defenses. The presentation concludes by showing how these activities are detected within the Lumu portal. The platform provides detailed analytics on tunneling behavior, identifying compromised host names and tracking the exact volume of data transferred between the victim and the attacker’s infrastructure.
Takeaways
- DNS tunneling exploits the host or subdomain fields of domain names to bypass firewalls via Port 53.
- Attackers leverage Powershell because it runs in memory, allowing them to download and execute code without leaving system traces.
- DNS cat is a tool used by attackers to create a communication channel between a victim and a malicious authoritative server.
- The Iodine tool provides the ability to establish a full VPN over DNS, creating new network interfaces to evade defenses.
- Security platforms can identify tunneling by tracking specific anomalies and the volume of data exfiltrated in real-time.
