Towards Comprehensive Detection of DNS Tunnels

The Domain Name System (DNS) is a fundamental service of the Internet, and the DNS tunnel is one of the most threatening abuses of DNS, posing a huge threat to user privacy and Internet security. Attackers conceal the information into DNS packets to evade firewalls and intrusion detection systems. Recently, newly developed DNS tunnels used by Advanced Persist Threat groups tend to use A and AAAA resource records (RRs) for transmission, making them more invisible and more threatening. Previous DNS tunnel detection approaches mainly focus on subdomains and TXT RRs, but less attention has been paid to newly developed DNS tunnels based on A and AAAA RRs. In this paper, we present a novel DNS tunnel detection method that can detect newly developed A and AAAA RR based DNS tunnels. Since DNS tunnels will transmit a large amount of encrypted or encoded data in the DNS queries and responses, we extracted novel features from domains and 4 types of RRs (A, AAAA, TXT and CNAME RRs) that are most commonly used for tunneling to measure the amount and content of information exchanged between the authoritative nameservers and the clients. We also analyze the detection capabilities when different features were used. The anomaly detection algorithm is employed on domains related features and 4 types of RRs related features, respectively. The overlaps of outliers will be marked as DNS tunnels. Our approach has been evaluated on real-world network traffic. The experimental results show that our approach can detect all DNS tunnels in the dataset with a extremely low false positive rate.