DNS Exfil

A covert method of exchanging data in restrictive environments.

Comment

Inspiration

When most system administrators think of blocking content, they usually think of filtering websites or blocking unnecessary ports so that users only have access to the content they need. Unfortunately, these methods don’t typically prevent DNS tunneling, which is a method of encoding data through DNS queries and responses in order to obfuscate traffic. Our team had initially heard of this concept in High School when a VPN that students used had utilized this method to consistently stay unblocked from the firewall and software control systems that the school used. This concept was brought back up when our team was discussing ideas for RowdyHacks, and we thought it would be interesting to discover how DNS tunneling works as well as trying to implement our own version that would “live off the land” in typical workstation environments in a restricted network.

What it does

DNS Exfil is a covert way to transfer data in and out of a restrictive network. By exploiting flexible parameters in essential internet services (DNS), we are able to send any type of data or file to and from a web server, which then distributes those files through the same protocols to users all around the world. What makes this truly unique is its extremely covert operation and its high availability. Despite the many firewalls and security measures many modern facilities put in place, DNS Exfil is able to bypass them and gain access to files it normally wouldn't be able to reach. Additionally, our DNS Exfil program has been outfitted with a mobile interface, which allows you to interact directly with the server from your phone in order to aid your file transfers. There is no limit to what you can send, and everything you upload is saved to the cloud in our SQL database for you to retrieve at any date. All information hosted & transferred is completely anonymous, meaning your privacy is guaranteed while using our software.

How we built it

DNS Exfil is built using NodeJs and PowerShell on many different public services. We use Domain.com for our name server redirection in order to send our encoded data to and from clients regardless of the DNS server the client is being forced to use. Google Cloud is used to host our custom “DNS” server, Express web server & SQL Database. Twilio is used to power our mobile SMS interface which allows users to access important information from our web server instantly. Google Domains is used for our internal webhook URLs. We thank all of these providers for their sponsorships. The entirety of our client interface relies solely on native windows services, meaning that our software requires no installation to run and utilize. This is done intentionally, as we wanted to be sure our software was accessible as possible regardless of where you may be. All you need is to type or download the script, and you’re ready to use our service.

Challenges we ran into

When setting up this project, we used Domain.com to register our domain as they were very generous with their sponsorship of this year’s RowdyHacks. Unfortunately, we discovered that in order to use their API for the domain, we would need to contact customer support and this was not a guarantee for being able to use the API. As a result, we decided to use our own DNS server which allowed us to upload files as well as be more flexible in our implementation.

While trying to setup the DNS server, one of our laptops had a series of issues that required tedious troubleshooting to resolve. This costed us time and effort from our project, but it was still a good experience because these issues always come up in life.

We ran into the issue of overlapping documentation with some of the services we were implementing, which forced us to reconsider how we wanted our application to function. Through troubleshooting, research, persistence, and support from mentors we were able to eventually figure out which documentation to use and successfully implement the service.

Additionally, we needed to pay for credits for our Twilio instance in order to send texts to more phone numbers due to limitations in the trial version of Twilio.

Accomplishments that we're proud of

We’re proud of our ability to develop a DNS tunnel that reliably provides ingress and egress transmissions within 24 hours due to our inexperience of the DNS protocol or service wrappers beforehand.

We’re proud of developing robust and reliable infrastructure in such a short period of time.

We’re proud of emulating a paging API structure over a limiting protocol and tools.

What we learned

We learned how to configure SQL, how to work with google cloud, how to configure name servers, how to develop scripts with PowerShell, how the DNS protocol works on a fundamental level, and how to manage large sets of complex data. Additionally, we learned some quirks and features of the programming languages, components, and services that we used to develop the project.

What's next for DNS Exfil

We would like to implement higher throughput for both downloading and uploading files. During development we had an idea of how to achieve higher throughput for downloading while still using standard DNS tools (nslookup), but we found that it requires more research and development in order to have a consistent and reliable transmission.

We would like to setup support for domain expansion so that if our domain were to be targeted and explicitly blocked, we would be able to rotate through alternate domains to maintain service.

Share this project:

Updates