Data exfiltration using DNS RPZ

Discussion:

Blason R

2018-06-17 15:43:42 UTC

Hi Team,

Can someone please guide if DNS exfiltration techniques can be identified
using DNS RPZ? Or do I need to install any other third party tool like IDS
to identify the the DNS beacon channels.

Has anyone used DNS RPZ to block/detect data exfiltration?

Sten Carlsen

2018-06-17 16:44:28 UTC

Permalink

Interesting, the Dnssec records with their by definition random and
large content seems to be the most interesting vehicle, at least at
first sight.

Will e.g. the google DNS server or any other resolver deliver and fetch
this data? At the moment I can't think of any reason it should not do so.

To really block this, I think you would need to actually verify the
correctness of the data.

Post by Blason R
Hi Team,
Can someone please guide if DNS exfiltration techniques can be
identified using DNS RPZ? Or do I need to install any other third
party tool like IDS to identify the the DNS beacon channels.
Has anyone used DNS RPZ to block/detect data exfiltration?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

--
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"

Vadim Pavlov via bind-users

2018-06-17 16:52:38 UTC

Permalink

DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.

Vadim

Interesting, the Dnssec records with their by definition random and large content seems to be the most interesting vehicle, at least at first sight.
Will e.g. the google DNS server or any other resolver deliver and fetch this data? At the moment I can't think of any reason it should not do so.
To really block this, I think you would need to actually verify the correctness of the data.

Post by Blason R
Hi Team,
Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
Has anyone used DNS RPZ to block/detect data exfiltration?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>

--
Best regards
Sten Carlsen
"MALE BOVINE MANURE!!!"
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Grant Taylor via bind-users

2018-06-17 17:07:49 UTC

Permalink

Post by Vadim Pavlov via bind-users
DNSSEC can be used for infiltration/tunneling (when you get data from a
DNS servers) but there is a catch that such requests can be easily dropped.

Will you please elaborate and provide a high level overview of how
DNSSEC can be used for infiltration or tunneling?

It is my understanding that DNSSEC is just a cryptographic hash that
clients can verify by calculating their own hash over the results for
the same query. As such, nothing is actually hidden. 1) You know the
outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you
know the algorithm used to generate the hash, and 4) you validate the
DNSSEC signature. So, what about that is hidden?

I fail to see how DNSSEC can be a covert channel, even if there is
manipulation in what key is used. Unless you're expiring & modifying
the ZSK about once a second so that you can change things and try to
hide using something like steganography. Even then, I'm not sure how
well that would work.

--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Vadim Pavlov via bind-users

2018-06-17 17:18:52 UTC

Permalink

Just to be more clear. DNSSEC records can contain any content and can be used for infiltration/tunneling.
E.g. If you request DNSKEY record (you can encode your request in fqdn) you will get it exactly "as is". Intermediate DNS servers do not validate the records.
So instead of "standard/usual" TXT records you can use DNSKEY to pass data from a DNS remote server.

Vadim

Post by Vadim Pavlov via bind-users
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.

Will you please elaborate and provide a high level overview of how DNSSEC can be used for infiltration or tunneling?
It is my understanding that DNSSEC is just a cryptographic hash that clients can verify by calculating their own hash over the results for the same query. As such, nothing is actually hidden. 1) You know the outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you know the algorithm used to generate the hash, and 4) you validate the DNSSEC signature. So, what about that is hidden?
I fail to see how DNSSEC can be a covert channel, even if there is manipulation in what key is used. Unless you're expiring & modifying the ZSK about once a second so that you can change things and try to hide using something like steganography. Even then, I'm not sure how well that would work.
--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Grant Taylor via bind-users

2018-06-17 17:27:24 UTC

Permalink

Post by Vadim Pavlov via bind-users
Just to be more clear. DNSSEC records can contain any content and can
be used for infiltration/tunneling.

Ah. I think I see.

Post by Vadim Pavlov via bind-users
E.g. If you request DNSKEY record (you can encode your request in fqdn)
you will get it exactly "as is". Intermediate DNS servers do not validate
the records.

You aren't talking about using the DNSSEC mechanisms to {in,ex}filtrate
data as much as you are talking about {ab}using the resource records
that DNSSEC uses as a vector to hide data.

Post by Vadim Pavlov via bind-users
So instead of "standard/usual" TXT records you can use DNSKEY to pass
data from a DNS remote server.

ACK

Thank you for the explanation.

Blason R

2018-06-17 17:48:45 UTC

Permalink

Excellent Inputs guys and thanks a ton for your feedbacks. RPS is quite
interesting and which one is commercial offering for the same?

On Sun, Jun 17, 2018 at 10:56 PM Grant Taylor via bind-users <

Post by Grant Taylor via bind-users

Post by Vadim Pavlov via bind-users
Just to be more clear. DNSSEC records can contain any content and can
be used for infiltration/tunneling.

Ah. I think I see.

Post by Vadim Pavlov via bind-users
E.g. If you request DNSKEY record (you can encode your request in fqdn)
you will get it exactly "as is". Intermediate DNS servers do not

validate

Post by Vadim Pavlov via bind-users
the records.

You aren't talking about using the DNSSEC mechanisms to {in,ex}filtrate
data as much as you are talking about {ab}using the resource records
that DNSSEC uses as a vector to hide data.

Post by Vadim Pavlov via bind-users
So instead of "standard/usual" TXT records you can use DNSKEY to pass
data from a DNS remote server.

ACK
Thank you for the explanation.
--
Grant. . . .
unix || die
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Grant Taylor via bind-users

2018-06-17 18:02:11 UTC

Permalink

Post by Blason R
Excellent Inputs guys and thanks a ton for your feedbacks.

You're welcome.

Post by Blason R
RPS is quite interesting and which one is commercial offering for
the same?

The best (read: quick) I have is Paul Vixie's email to OARC's
DNS-Operations mailing list.

Link - [dns-operations] DNS RPS (response policy service) API
-
https://lists.dns-oarc.net/pipermail/dns-operations/2017-October/016860.html

I suspect that will give you a few threads to pull at.

I know that I've exchanged a few emails with Paul and he's always been
quite helpful. I beet he'd be happy to point you to his company's
commercial product.

Vadim Pavlov via bind-users

2018-06-17 16:46:38 UTC

Permalink

Hi,

RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't analyse DNS requests & responses and a client behaviour.
So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox Threat Insight).
+ do not forget that "qname-wait-recurse" should be switched off and a RPZ with such domains must be before (e.g. first) by order any zone which contains IP/NS based rules.

Vadim

Post by Blason R
Hi Team,
Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
Has anyone used DNS RPZ to block/detect data exfiltration?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Grant Taylor via bind-users

2018-06-17 17:01:50 UTC

Permalink

Post by Blason R
Can someone please guide if DNS exfiltration techniques can be
identified using DNS RPZ?

I don't think that Response Policy *Zone* can do what you want to do.
(I've often wondered about this my self and have spent some time
thinking about it.)

Post by Blason R
Or do I need to install any other third party tool like IDS to identify
the the DNS beacon channels.

I don't think you need to replace BIND with another tool.

BIND has a relatively new feature called Response Policy *Service* that
I think is well suited to this.

I think of BIND's RPS much like I do Sendmail's Milter or Cisco' WCCP,
in that they provide a way for BIND (Sendmail, Cisco routers) to ask
something else to do the filtering for them.

Queries come to BIND and it serves them mostly like normal with the
exception being that it gives the RPS daemon an opportunity to do some
more intelligent filtering. The RPS daemon can (theoretically) do some
analysis on the queries including number of queries (to a given
(sub)domain), the length of the queries, the type and length of the
reply, etc.

In short, RP*S* allows active processing to be done on the query. Where
as RP*Z* is only doing a simple textual match

BIND includes the RPS interface for other RPS daemons to interact with.
I believe there is at least one commercial RPS daemon. I'm not aware of
any open source RPS daemons (yet).

Post by Blason R
Has anyone used DNS RPZ to block/detect data exfiltration?

I don't think that RPZ is a good candidate for this, given it's textual
matching. I do think that RPS will be a MUCH better match for this as
it matures.