Appearance

Welcome to DNSfs

DNSfs is demonstration implementation of a DNS based data transfer mechanism. The examples provided show how easy it is to use DNSfs to steal any data from inside a network. The sample code is setup to transfer and decode Credit Card data. It also shows how to use DNS to download arbitrary files from the Internet.

Using DNS for nefarious purposes is a documented attack vector. However, without a deep understanding of the protocol, it often appears purely theoretical. Because it is difficult to defend against, this risk is frequently dismissed as "theoretical but unlikely."

This classification of this vulnerability as theoretical but unlikely is wrong. DNS is a very simple and easy to use attack vector for both data exfiltration and stealthy data downloads. DNSfs is intended to show how easily an attacker can abuse standard Internet DNS for malicious actions.

DNSfs provided examples also show that the client requires no additional software to successfully exfiltrate any data from a network. The examples demonstrate the ease with which DNS can be used to successfully export any data at all. A host just needs to be able to generate a DNS request that exits the network. The examples focus on credit card exfiltration as losing that data is obviously important. However it also looks at how to successfully download arbitrary text and binary files placed on the server.

Using DNS for this purpose is not a high speed data transfer system - attackers looking to export large amounts of data quickly will likely use a more traditional bulk data transport like FTP, rsync or HTTP.

Using DNS for data exfiltration is better suited for the long term persistent attack scenario. It also works better than other approaches if the attacker doesn't know what the internals of the environment look like. It is a useful tool to build into supply chain attacks, as the barriers to a successful deployment are very low.

A simple DNS lookup hidden in any supporting code library for (java, ruby, rust, python etc.) could easily be used to export data. DNS is ideally suited for low bandwidth persistent trickle attacks.

Hiding in the noise

Default DNS environments are unnecessarily noisy; convenience configurations can make them even more so. DNS configurations are designed to be robust, using several mechanisms in default client libraries to ensure result delivery. These include automatic retries, zone searching, and more recently, attempting AAAA (IPv6) records before A (IPv4) queries. In environments where IPv4 is dominant, this leads to many failed IPv6 lookups. Furthermore, with domain search enabled, partial hostnames are expanded into a sequence of attempted lookups.

These invalid lookups return NXDOMAIN responses from the server. This floods logs and monitoring tools with invalid traffic. In such a noisy environment, a steady stream of valid but malicious DNS requests becomes significantly harder to detect.

Data Exfiltration

Network attackers need a mechanism to get data out of a network without tripping over any security protections that are in place. Data Loss Prevention (DLP) solutions are becoming more common on network boundaries to try identify suspicious data transfers. MITRE ATT&CK describes data exfiltration techniques in some detail, and provides some suggestions on mitigating against the attacks.

DNS is a ubiquitous Internet service. It's one of the core building blocks of the modern Internet. Internal systems that have access to Internet DNS data are vulnerable to the data exfiltration techniques demonstrated in DNSfs.

DNSfs uses the capabilities of DNS to sneakily transfer data in and out of protected networks, bypassing the mitigations.

Data Importing

DNSfs provides the ability to serve the contents of a directory as read-only. A DNS lookup will get you a directory listing, and a DNS lookup will get you the segment count for that file. You can then download the individual segments of the file. The client side can request the segments in any order - defeating any attempt to reconstruct packet streams for content analysis.

Code Structure

  • dnsfsd - A minimal DNS server providing data exfiltration and file selection and download
  • client.sh - A bash script that operates client-side to demonstrate the ease of data exfiltration and file download using standard tools like dig. The examples in client.sh are simple, intended to demonstrate the concept works - they are not attempting to be particularly stealthy. The download of a file with 100 parts will result in 100 dns queries one after another, with no delays added.

Source Code

The source code is available at https://github.com/ch166/dnsfs.