In and Out the DNS Tunnel presented at CarolinaCon15 2019

by Stuart Mcmurray,

Summary : DNS is one of the three protocols which will get C2 out of nearly any network, and for some (e.g. "airgapped") networks, often the only way out. Unlike HTTP and HTTPS, defensive tooling around DNS is usually nowhere near as robust, leaving a really nice avenue for the sort of folks who want to sneak comms out of a network. This talk will demystify DNS tunneling. We'll start with a brief overview of the relevant parts of DNS and why they're great for C2, then dive right into how to abuse simple queries and responses to sneak comms into and out of a network all the way from simple exfil to full bidirectional stream communications. We'll finish up with a few easy wins for Blue teams who are looking to catch DNS tunneling in action.