killchain-compendium/exfiltration/dns/dns.md

# DNS

* [Root Servers](https://www.iana.org/domains/root/servers)
* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
* [Records](https://www.cloudflare.com/learning/dns/dns-records/)

## Tunneling
* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
* Start server on an outside DNS server. This may be a evs.
```sh 
iodined -b 47110-f 10.0.0.1 tunnel.test.com
```
* Use client via
```sh
iodine -f -r <server-IP> tunnel.test.com
```
* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
* Client gets a tunnel IP in the range of `10.0.0.0/8`
* Check connection via 
```sh
ping <server-IP>
```
* Generate ssh-key and put in on the server
* Dynamic port forwarding to server via
```sh
ssh <user>@10.0.0.1 -D 8080
```
* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy

## nslookup
```sh
nslookup type=txt <domain>
```

## Reverse lookup
* Stored inside `PTR` record
* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
```sh
drill -x +short <IP>
```

## Exfiltration
* Add data to UDP DNS requests
* Capture traffic on an owned DNS server
* `253` is the max length of a DNS name
* Encode the payload to hide it 

## Infiltration
* Inside `TXT` or any other possible records
bump 2021-10-31 02:43:24 +02:00			`# DNS`

			`* [Root Servers](https://www.iana.org/domains/root/servers)`
			`* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)`
			`* [Records](https://www.cloudflare.com/learning/dns/dns-records/)`

			`## Tunneling`
			`* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)`
			`* Start server on an outside DNS server. This may be a evs.`
			```sh
			`iodined -b 47110-f 10.0.0.1 tunnel.test.com`
			```
			`* Use client via`
			```sh
			`iodine -f -r <server-IP> tunnel.test.com`
			```
			* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
			* Client gets a tunnel IP in the range of `10.0.0.0/8`
			`* Check connection via`
			```sh
			`ping <server-IP>`
			```
			`* Generate ssh-key and put in on the server`
			`* Dynamic port forwarding to server via`
			```sh
			`ssh <user>@10.0.0.1 -D 8080`
			```
			* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy

			`## nslookup`
			```sh
			`nslookup type=txt <domain>`
			```

			`## Reverse lookup`
			* Stored inside `PTR` record
			* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
			```sh
			`drill -x +short <IP>`
			```

			`## Exfiltration`
			`* Add data to UDP DNS requests`
			`* Capture traffic on an owned DNS server`
			* `253` is the max length of a DNS name
			`* Encode the payload to hide it`

			`## Infiltration`
			* Inside `TXT` or any other possible records