Continuing my Air Force Training's Advanced Distance Learning I had to choose a network protocol from a list and do a short research assignment on the tool. I chose DNS. I got 10/10 on this while also getting to use a link to a friends DNS exfiltraiton tool as a reference.


The Domain Name System (DNS) is essentially the internet’s phone book and is critical to the function of the internet as we know it. Systems on the internet are identified by an Internet Protocol (IP) address and this address is how computer systems know how to communicate with each other. Humans however, are not great at memorizing hundreds or thousands of “dotted-decimal” addresses to access their desired resources. DNS provides an infrastructure to translate human-readable names to IP addresses. The DNS system is hierarchical in nature and is globally distributed making is highly redundant. In recent years DNS has become a security feature (or vulnerability depending on perspective) as attackers have found new ways to leverage DNS in social engineering schemes and theft of internet properties.

The core task of DNS is to resolve one type of address to another type of address. The most typical function of DNS is to perform forward lookups where the service translates a domain name (i.e. google.com) to an IP address (i.e. 64.233.180.101). DNS can also generally perform a reverse lookup where the service translates an IP address (i.e. 8.8.8.8) to a domain or host name (i.e. google-public-dns-a.google.com). For most normal users, this activity is restricted to browser activity as users surf the internet (in addition to numerous uses behind the scenes). Network administrators and security researchers use DNS to troubleshoot connectivity issues, manage networks, and ensure access to internal and public resources. This system exists to ease the burden on users of remembering numbers instead of easily remembered names.

The system works in a hierarchical manner starting with the top-level domain (TLD) at the right-hand side of most domain names (i.e. .com, .org, .net, etc.). The top-level domains are controlled by global organizations that until recently were geographically aligned and non-profit. Recently, hundreds more top-level domains were created private entities are being delegated authority of these TLDs. The owners of TLDs are responsible for registering all subdomains and maintaining DNS records that point to the services hosted at these domains. The process of domain registration is how system owners can create the translation between a domain they have registered and an IP address that they own. In addition, the domain registration process allows for the specification of additional records for mail, sub domains, and additional domain servers that manage sub-domains.

Domain servers support both public and private applications. Most medium to large corporations manage their own internal DNS systems to provide the benefits of DNS to their users while keeping the information contained therein hidden from the public. Full DNS records for a corporation can be a major benefit to attackers as the DNS records will indicate where administrative, development, intellectual property, and sensitive assets reside within the network. In the worst case, misconfigured DNS servers may allow a zone transfer by unauthorized users, where the entire database of DNS entries is transferred. Additionally, in the realm of social engineering, domains names may be used to trick users into accessing a compromised or false resource by using similar looking domain names (i.e. airforce.com vs. air-force.com). In some cases, companies will register these similar looking domains defensively to prevent this sort of attack. Lastly, as with any data transporting mechanism, exfiltration of data through DNS is possible whether used as a Command and Control channel or through direct data exfiltration. DNSSEC is a protocol to help alleviate some of these security challenges but it has not been widely adopted.

CRW_3757

References

“ARIN.” American Registry for Internet Numbers (ARIN), www.arin.net/.

Berry, Nolan. “Ndberry/DNS_Exfil_Tool.” GitHub, 18 Oct. 2017,
github.com/ndberry/DNS_Exfil_Tool.

Klensin, J. “Role of the Domain Name System (DNS).” IETF Tools, tools.ietf.org/html/rfc3467.

Mockapetris, P. “Domain names - concepts and facilities.” IETF Tools,
tools.ietf.org/html/rfc1034.

Mockapetris, P. “Domain names - implementation and specification.” IETF Tools,
tools.ietf.org/html/rfc1035.

“Overview of DNSSEC.” TechNet, 11 Feb. 2014,
technet.microsoft.com/en-us/library/jj200221(v=ws.11).aspx.