DNS Exfiltration - Introduction

What is DNS Exfiltration?

DNS exfiltration can be a means of getting data off a compromised machine without detection.

Why use DNS Exfiltration?

If you are conducting legitimate security research, and you need to demonstrate that you can exfiltrate data from a target whilst circumventing certain security measures, DNS exfiltration could help you.

DNS exfiltration allows an attacker to get data off a compromised machine. There are many ways to exfil data, and we should value simplicity, but the use of DNS has its advantages. For example: some webservers may have a WAF that uses domain whitelisting to allow outgoing HTTP requests from the application only to pre-approved domains. DNS config changes are often at fault when large tech companies suffer downtime (such as the Facebook DNS failure), and sysadmins are rightly reluctant to introduce firewall rules that may disrupt DNS functionality. This may mean that getting data off a compromised webserver is simply easier with DNS exfil than it is by other means. Outbound DNS lookups may also be less closely monitored than things like SSH logins.

DNS Exfil System Architecture

DNS exfil requires two components: some code executing on the target machine, and a nameserver controlled by the attacker. The basic steps are as follows:

  • Obtain a Second Level Domain (example.com) for the exfiltration
  • On the registrar, provide an IP address to use as a nameserver for *.example.com
  • Set up a nameserver at that IP address. It should record all DNS lookups to a database
  • Execute code on the target machine that breaks the data down into small chunks the size of subdomains
  • Perform DNS lookups to [exfil-data].example.com
  • The nameserver should then receive all the data via DNS.

Considerations in Encoding Data as Subdomains

Allowed Characters

Perhaps the best choice of allowed characters is to transpose the exfil data to base 36 ([a-z0-9]). A hyphen (-) is allowed in a subdomain, but not as the first symbol, so the attacker should probably avoid using it.

Length

The whole domain name, including the SLD, and inclusive of any dots, can’t go above 253 bytes. The length of any one layer of subdomain must not exceed 63 bytes. Overall, taking 120 bytes of exfil data, transposing it into base 36, then presenting it as three 62-symbol subdomain layers will work for a typical attack.

Transport Layer Considerations

DNS exfiltration happens over UDP. Packets may get dropped. Arranging for the nameserver to respond with a (random) IP address, and using this as an acknowledgement of receiving a lookup, may allow the attacker to augment the transport layer with some kind of retry system, but packets will still get dropped.

Other Data Treatment

Compression may be an attractive option, to minimise the number of ‘packets’ (i.e. domain names) that need to be exfilled. Encryption should also be an important consideration: the exfilled data is being sent ‘in the clear’, and may be sensitive. Sometimes the attacker may not care, but for legitimate red teaming or bug bounty hunting, it is important not to exfil a set of environment variables full of database passwords from a webserver without thinking about encrypting the transport layer. Remember that encryption should be done after compression, if applicable.

Tip

When conducting a penetration test, think about encrypting the transport layer, where sensitive data is being exfiltrated

Summary

DNS exfiltration is by no means the simplest or easiest way of exfilling data from a compromised system. But it may provide a solution to evading security restrictions or monitoring that would otherwise be prohibitive. Take a look at my Golang DNS exfil tool on Github, still under construction at time of writing, for an example of DNS exfiltration in Go.