DNS covert channels

Archive for December, 2011

DNS covert channels

Posted by

I am having some fun with DNS and covert channels over the holidays.

At its most simplest, DNS can be used as a text based covert channel. The DNS client sends the message via a CNAME lookup. The DNS server sends a message in response via a CNAME response. By co-opting this process, any character sequence can be sent back and forth.

What if we need to do more? Say, transfer a file? Or even browse the web? The answer here is text encoding.

Most IT folks would jump to the conclusion that the traffic simply needs to be Base64 encoded. There is a slight wrinkle. DNS CNAME queries only support 63 characters: alphabetical lower case, upper case, numeric, and dash (-). Base64 encoding is out.

The next possibility is Base32 encoding. While not often used, it fits within the DNS RFC and therefore works out of the box.

The disadvantages of Base32 over DNS is packet payload size and transmissions. DNS is UDP and, therefore, may suffer from dropped packets. Further, the packets can only be so long.  DNS host names are limited to 255 characters.

Dan Kaminsky came up with an interesting solution to these problems. He essentially tunneled IP over DNS using Base32 encoding. Such protocol layering handles the limitations of UDP. To increase the size, Kaminsky relied on the EDNS0 extension specified in RFC 2671. He released a proof of concept in the form of the OzymanDNS Perl scripts.

As a side note, the name OzymanDNS had me curious. I did some digging. It is a Watchmen comics reference which, in turn, traces back to an Egyptian pharaoh. Nothing says secret writings like comic books and pharoahs.

Anyways, in sum, covert channels over DNS are practical. With some clever protocol manipulation, binary files and even web browsing can be tunneled over DNS.