LinkedinTryHackme

Peculiar DNS Traffic

DNS traffic analysis can be challenging due to its high volume, but identifying abnormalities is crucial for detecting malicious activity.

DNS Queries

DNS queries allow clients to resolve domain names to IP addresses and vice versa.

DNS Forward Queries

In a forward lookup, the client resolves a domain name to an IP address, following these steps:

  1. Query Initiation: Client queries domain, e.g., academy.hackthebox.com.

  2. Local Cache Check: Checks local DNS cache; if unresolved, continues.

  3. Recursive Query: Sends query to the configured DNS server.

  4. Root Servers: DNS resolver queries root servers if necessary.

  5. TLD Servers: Root server directs to TLD servers (e.g., .com).

  6. Authoritative Servers: TLD server points to domain's authoritative server.

  7. Domain’s Authoritative Servers: The resolver obtains the IP address.

  8. Response: The IP address is sent back to the client.

DNS Reverse Lookups/Queries

Reverse lookups are used to find a domain name from an IP address:

  1. Query Initiation: Client sends a DNS reverse query with the IP.

  2. Reverse Lookup Zones: DNS resolver checks if it is authoritative.

  3. PTR Record Query: Resolver searches for a PTR record.

  4. Response: The FQDN is returned if a matching PTR is found.

DNS Record Types

Record Type
Description

A

Maps a domain name to an IPv4 address

AAAA

Maps a domain name to an IPv6 address

CNAME

Creates an alias for a domain

MX

Specifies mail server for the domain

NS

Authoritative name servers for the domain

PTR

Used in reverse queries to map IP to a domain

TXT

Specifies text associated with the domain

SOA

Administrative information about the zone

Detecting DNS Enumeration Attempts

A high volume of DNS queries from a single host may suggest DNS enumeration. Using Wireshark, filter DNS traffic as follows:

dns

If queries include ANY, this could indicate DNS enumeration, or even subdomain enumeration.

Finding DNS Tunneling

DNS tunneling can involve a significant number of TXT records from one host. Attackers may exfiltrate data by appending it to the TXT field of DNS queries.

Example of DNS Tunneling Indicators

Examine DNS traffic for unusual or unexpected text in the TXT field. Encoded or encrypted data may appear, often as base64:

  1. Extracting Base64 Encoded Data:

    echo 'VTBaU1EyVXhaSFprVjNocldETnNkbVJXT1cxaU0wb3pXVmhLYTFneU1XeFlNMUp2WVZoT1ptTklTbXhrU0ZJMVdETkNjMXBYUm5wYQpXREJMQ2c9PQo=' | base64 -d

  2. Handling Multi-Level Encoding:

    echo 'encoded_string' | base64 -d | base64 -d | base64 -d

    Some attackers may encode data multiple times or encrypt it, making detection harder.

Reasons for DNS Tunneling

  1. Data Exfiltration: Used to covertly export data from a network.

  2. Command and Control: Enables compromised systems to communicate with attacker-controlled servers, often used in botnets.

  3. Firewall Bypassing: DNS tunnels can bypass firewalls or proxies focused on HTTP/HTTPS.

  4. Domain Generation Algorithms (DGAs): Advanced malware uses DGAs to generate dynamic domain names, complicating detection.

The Interplanetary File System and DNS Tunneling

Advanced threat actors may use IPFS to store and retrieve malicious files, making DNS/HTTP traffic to URIs like the following noteworthy:

  • IPFS Example URI:

    https://cloudflare-ipfs.com/ipfs/QmS6eyoGjENZTMxM7UdqBk6Z3U3TZPAVeJXdgp9VK4o1Sz

IPFS operates on a peer-to-peer basis, complicating detection. Regular monitoring of DNS and HTTP/HTTPS traffic is essential to mitigate these attacks.

PreviousSSL Renegotiation AttacksNextStrange Telnet & UDP Connections

Last updated