How does DNS Tunneling Work?

DNS tunnelling is just another tunnelling technique. Usually, it is called VPN over DNS too, it is just naming. What it makes it very popular is that not all carriers or network administrators are aware of it or if they are, they don't know exactly how to stop it. Rogers, one of the biggest telecommunication carrier in Canada and Telcel the biggest player of mobile telephony in Mexico, both allow DNS tunnelling (I don't doubt others carriers do as well), so when you run out of data in your plan you can still connect if you configure it in your mobile. This is because smartphones need to connect to some carrier servers regardless if you have the right to 2G/3G/4G data access or not; smartphones still have access to the local DNS server. Local networks have the same symptom because DNS is used to access many IT services like the Active Directory, it is very difficult to differentiate between a true legitimate DNS query and DNS tunnelling traffic without the proper tools.

Because of this, I am going to describe how this technique works.

The DNS Protocol

The DNS protocol is one of the oldest protocol on the Internet. It lacks security by design (although there are some security layers such as SecDNS and the new DNS over TLS). Its architecture of zone delegation allows forwarding DNS request to other servers. The top TLD could be hosted in one server while a subdomain in another one.

Your computer has at least one DNS server configured, if you are in your home, this DNS server is usually your Internet router. The DNS server that resides inside that router (or any LAN) has a trust relationship. This means it will resolve all DNS requests. When your computer asks for google.com, your local DNS server will look for the request your computer asks for, this is commonly called a recursive DNS. Usually, You don't find recursive DNS servers on the Internet only in local networks. As this DNS server does not host google.com zone, it will look for it and it will grab the request answer for you.

Now, let's remember the types of DNS queries within the DNS Protocol. The DNS protocol has many types of DNS records, most common records are:

• MX: it is used to deliver email using the SMTP protocol.
• SRV: it is used for some advanced services to know what server to use. SRV records are very common for high availability or load balancing scenarios.
• A: it is used to store IPv4.
• AAAA: it is used to store IPv6.
• A6: it is used to store IPv6 as well.
• TXT: it is used to store any general information. TXT records are the ones that are used for DNS tunnelling.
• PTR: it is used for reversal DNS information.

If you want to read a full list of DNS record types, you can consult this Wikipedia article.

The DNS Tunneling Technique - How Does It Work?

If you are looking forward to building your own DNS you will need the following elements:

1. A public domain name, you could use a sub-domain but if you are not familiar with NS records I suggest you use a TLD. The DNS zone or sub-domain A, NS and SOA records must point to the DNS tunnelling server.
2. A server where to install the DNS tunnelling software. I won't cover how to do this in this article, but I will cover the concepts and how this works.
3. Install the software on your computer. Usually, the software will raise an Interface with private addressing. All the traffic you want to pass through the tunnel you will need to pass through it.

The software I recommend for this technique is Iodine, but there are more. I think there is an Android port for it (you will need a rooted device to use it). When you start the software, the client will request your local DNS server some records about the tunnelling zone you are using. The local DNS server (the one in the LAN or Internet router) will act as a proxy, for its eyes,  it is just serving DNS requests.

The client and the DNS tunnelling server will start doing some negotiations to find what kind of DNS records are allowed and the maximum length of that record. Some carriers have IDS/IPS devices in which they block crafted DNS packets, for example, they block NULL packets or they block DNS packets longer than 512 bytes. After the handshake is done, your local computer will only do the allowed queries and the DNS tunnelling server will answer with the allowed conditions.

If you put a sniffer, you will see queries like this:

TXT 2939sfyxkdis.inside-out.xyz

These queries are never the same, this is used to avoid any kind of DNS caching. As you guess, TXT DNS records are very common in DNS tunnelling technique. Your local computer will build a valid TCP/IP packet later with the payload.

Side Effects of DNS Tunneling

Although DNS tunnelling is not easy to block, it has a big side effect: slowness. DNS tunnelling is slow and you will need to know that if you are planning to use it. You may mitigate this if you install a transparent proxy such as ziproxy and do an object compression before sending information through the tunnel. I will not cover how to do this in this article.

There are some VPN providers that claim to do DNS VPN without the speed penalty. Well, this is not true. DNS Tunneling works under UDP, which it has a maximum MTU of 1500, usually 512 (as some carriers or ISP'es block UDP packets longer than 512 bytes). So, fragmenting a TCP packet (longer than 1500) into many 512-byte chunks maks the speed significantly slower. On top, add that DNS is recursive, your DNS request is being processed through an unknown change of DNS servers before it arrives at you.

So, the next question would be: what are they doing? My guess is just passing UDP streams through the port 53/udp, which it is not DNS tunnelling. It is just a VPN using another port, for example, OpenVPN using 53/udp instead of the classic 1194/udp port. This approach is faster but very easy to block. You just block access to port 53/udp to any other server different than your local DNS.

Blocking the DNS Tunneling

Good luck with that! I can suggest the following actions:

• The good thing is that DNS runs on ports 53/tcp and 53/udp, so by blocking UDP packets longer than 512 bytes, and TCP packets longer than 1024 you will get a good start. If you are in Linux a simple iptables rule like this will do the magic:
  iptables -I INPUT -p udp --sport 53 -m length --length 512:65535 -j DROP
  iptables -I INPUT -p udp --dport 53 -m length --length 512:65535 -j DROP
  iptables -I INPUT -p tcp --sport 53 -m length --length 1025:65535 -j DROP
  iptables -I INPUT -p tcp --dport 53 -m length --length 1025:65535 -j DROP
  
  Remember to do it on both IPv4 and IPv6. Don't forget this won't stop the DNS tunnelling, but since longer packets will be dropped, this will discourage the use of DNS tunnelling in your network as the speed will be very slow.
• Block TXT and NULL type record. Although this could have a side effect, you will block DNS tunnelling with this. TXT records are used for many things, such as SPF and domain validation. If you are not using any these use cases, you can go for this option (if your local DNS server allows it).
• Write a PowerDNS plugin whose mission would be to act as a proxy. It could detect by regular expression or artificial intelligence the kind of queries and start blocking.
• Install a IDS/IPS like Snort or Suricata and put some special signature rules to block the traffic. You will need to install this software on the router (if a Linux router is), to configure a mirror port or a bridge (with a server with 2 unnumbered interfaces linked in a bridge interface). The logic of this is easy. If you find many DNS queries of the same type to a specific domain, then there is a DNS tunnelling there. I have found a McAfee article where they suggest some Snort rules, they are incomplete but they are a good beginning to start building the desired final rules. If time allows, I will try to write a proper Snort rule.

Do You need a DNS Tunneling Server?

If the server technical part is not your thing, I can offer you server rent through a monthly subscription. The following cities are available:

• Standard Servers: https://services.okay.network/cart.php?gid=7
• High Performance Serves: https://services.okay.network/cart.php?gid=8

Good Luck!