Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

DNS Exfiltration and Out-of-Band Attacks

Nitesh Shilpkar

0 vote(s)

The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is a crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that causes harm to the organizations. Many organizations not prepared to mitigate, or even detect, the problems DNS might bring.

Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since, DNS is important for routing traffic, it simply cannot be disabled. Organizations should look forward for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and benefit from the capabilities DNS has to offer.

Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and since all the traffic is routed through the DNS it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide the IP address management (IPAM) data for diagnosing the network traffic for network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look up to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities.

DNS traffic should result into being one of the main points for network traffic data analysis which would serve organizations for better improving their detection and analyzing capabilities to be ready of what may come.

In this paper we would examine the following-

• About DNS
A brief introduction about DNS and how it works.

• Types of DNS-based attacks
A brief introduction about the type of attacks on DNS.

DNS Cache Poisoning
Denial of Service
o DNS Flood Attacks
o DNS Reflection Attacks
o DNS Amplification Attacks

• DNS Tunneling
A brief introduction about DNS Tunneling and the negligence of the DNS port, 53 in the security posture of the organizations due to the large size.

• Data exfiltration using DNS
This would describe of how attackers and malwares are targeting DNS for exfiltration of data.

• Case Study of DNSMessenger
DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.

• Out of band attacks
A description of “out of band” attacks.
o SQL Injection
This would detail of how SQL injections can be used to fetch information through DNS queries.

o XML Injection
This would detail of how XML-Injections can be used to get information from the server.
• Magic of Burp
This would showcase of how to use Burp for carrying out DNS based attacks and gain information.

• DNS Exfiltration Restrictions
This would tell the limitations of DNS based exfiltration.

• Best practices for using DNS data to enhance investigations
We would give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.


Nitesh Shilpkar is a passionate security researcher and likes learning new aspects of security. He is currently working with PwC Singapore. He has received multiple CVE’s for finding bugs in products like Adobe Coldfusion, Adobe Shockwave Player, Apple iCloud and Amazon Kindle. He has been acknowledged by over 40 websites such as Facebook, Google, AT&T etc. He holds certifications like OSCE, OSCP, OSWP, CREST-CRT. He is interested in Exploit development and Research.