Combating Malicious DNS Tunnel

The Domain Name System (DNS) is a fundamental Internet infrastructure, which resolves billions of queries per day in support of global communications and commerce. The most common use of DNS is to map human-friendly domain names to machine-readable IP addresses.The DNS is designed based on the client-server model where stub resolver at the client side originates DNS query for some query name and authoritative server at the server side responses with the requested mapping associated with the query name. To simplify client and enhance the scalability and efficiency of name resolution, stub resolver commonly relies on recursive resolver to traverse the DNS tree and return final answer. The DNS is known to be susceptible to cache poisoning and man-in-the-middle attacks, so the major efforts devoted to securing DNS in the past two decades focused on ensuring source authentication and data integrity (such as the DNSSEC initiatives), which are essential for the common use of DNS. As the DNS is taken for granted an indispensable service for almost every Internet end user, it is also convenient for malicious use. An emerging misuse of DNS in recent years is DNS tunnel. Unlike the common use of DNS which aims at finding the mapping data associated with the interested query name, the goal of DNS tunnel is to use DNS as a communication stack between the querier and the responder. A DNS tunnel can be used for “command and control”, data exfiltration or tunneling of any internet protocol (IP) traffic. There are a variety of services that leverage DNS tunnel to convey specific information about their users to their providers.For example, Sophos [5] designs and maintains a protocol/framework to encode generic information about the threat and the detection, which is based on DNS transaction. When a Sophos-enabled endpoint triggers a detection by a scanner and needs to look up the security services, it requests the sophosxl.net name servers using a specially crafted DNS query. The domain in the DNS query is generated to include all necessary information about the suspicious file. Then the endpoint adjust its behavior according to the information