A novel approach to detecting covert DNS tunnels using throughput estimation
In a world that relies heavily on data, protection of that data and of the motion of that data is of the utmost importance. Covert communication channels attempt to circumvent established methods of control, such as rewalls and proxies, by utilizing non-standard means of getting messages between two endpoints. The Domain Name System (DNS), the system that translates text-based resource names into machine-readable resource records, is a very common and e ective platform upon which covert channels can be built. This work proposes, and demonstrates the e ectiveness of, a novel technique that estimates data transmission throughput over DNS in order to identify the existence of a DNS tunnel against the background noise of legitimate network tra c. The proposed technique is robust in the face of the obfuscation techniques that are able to hide tunnels from existing detection methods.
dns, network security, entropy, covert channels