A Survey of DNS Tunnelling Detection Techniques Using Machine Learning Shiraz Yassine, Jawad Khalife, Maroun Chamoun, Hussein el Ghor # L'Institut National des Télécommunications ET de l’information, Faculty of Engineering, Saint Joseph University Beirut, Lebanon Abstract— The Domain Name System (DNS) is an essential From a security perspective, DNS stands out among most network service translating human-friendly host names into protocols for covert channels for several reasons. numerical IP addresses. Prior to almost any network First, because DNS is not intended for data transfer, DNS communication, a communication with a DNS server is, the most traffic is often allowed without being inspected by network likely, needed. For this reason, DNS cyber-attacks are now one of the most challenging threats in the information security security devices and almost ignored in network security community due to its wide availability and the fact that it’s not policies, which makes DNS a prone for attacks and misuse. monitored in terms of security - not intended for data transfer. Second, DNS includes some flexible fields used by attackers like TXT record and other. Particularly, DNS tunnelling embedding data in DNS queries and In 1998 [3], Data transfer over DNS protocol has been response is receiving a lot of attention in the research field over discovered and was originally designed as a simple way to the last years. Recent studies have focused on DNS tunnelling bypass the captive portals at the network edge and gain free detection using machine learning. Wi-fi access restricted access sites. Currently, transferring data over DNS poses a serious security risk to all organizations. The aim of this paper is to provide a comprehensive survey of some different techniques proposed recently in the literature for detecting DNS tunnels using machine learning, while highlighting In 18 December 2017, The Etisalat UAE [4] headlined the on the main findings and comparing their obtained results. news; the website was hacked, redirecting its users to a Chinese site through DNS tunnelling. The intent of the hacker was to steal user sensitive information. This attack shows that Keywords— Domain Name System, Cyber-attacks, Tunnelling DNS can be used to attack well reputed organizations without detection, Machine Learning. referring to complex network protocols or advanced traffic obfuscation techniques. I. INTRODUCTION The global DNS threat survey [5] covering three regions, has shown that the business sector is taking DNS tunnelling DNS translates easy memorized domain names to numerical threats more into consideration where 38% of businesses are IP addresses which is an essential service related to network aware of data exfiltration through DNS (24% in 2016) but still and Internet Functionality. For this purpose, DNS protocol more than the half are not aware of it. On the other hand, 22% uses special message formats and types, like queries and of the organizations were affected with DNS tunnelling (11% replies. DNS and communicate on port 53 using usually UDP in 2016). and TCP when the request is larger than 512 octets. RFC 1035 [1] The remaining of this paper is structured as follows. Section To determine the requested services (web pages, mail 2 deals with DNS tunnelling description, the way data can be servers…), 83 DNS record types (2016) can be used. exfiltrated and by which tools; Section 3 highlights DNS Common DNS records include: A, PTR, MX, CNAME, TXT, tunnelling detection techniques using machine learning. NS, and SOA records. Section 4 compares the surveyed methods; and finally, section A DNS server can be authoritative – holding the DNS 5 finally outlines the conclusion. information - for one zone (example: domain.com) or it can be a local DNS cache serving client DNS queries. DNS queries II. DNS TUNNELLING are of two types [2]: (i) Recursive: recursion is when a DNS server query other DNS server on behalf of original DNS Tunnelling [3] allows transmission of data using a certain client for name resolution; (ii) Iterative: Forwarded to infrastructure encoding data of other programs and protocols authoritative servers starting with ROOT servers. Each server in DNS queries and responses without alerting any firewalls or refers the client to the next server in the chain, until the current intrusion detection system. The original intention was to server can fully resolve the request. So, the resolution of bypass captive portals in Wi-Fi hotspots at airports or hotels to www.exampledomain.com would query a global root server, acquire free internet access. then the top-level domain “com” server and finally the “exampledomain.com” server. DNS tunnelling is a client-server model requiring a client to be compromised through malware, phishing or social engineering with the only requirement of access to internal 63 DNS server. At the infected DNS client level, a persistent There are many tools [3], [8-10] used to embed data in DNS backdoor with a DNS Tunnel will thus be established. queries and responses between the tunnelled client and the DNS tunnels can be used to exfiltrate important and rogue server that can then forward the data to another confidential data from any organizations network (Data destination client. Exfiltration) or in form of Command and control channel [3] (C&C). B. Major DNS tunnelling tools The Most commonly used DNS tools [7] are: DNS2tcp, tcp- C&C is a communication channel between the target host over-DNS, OzymanDNS, Iodine, split brain, DNScat- and the command and control server. It embeds data and P/DNScat2, DNScapy... commands in DNS queries and responses. Also, it includes full remote access of the compromised host. In 2012 [3], at the DNScat [3], released in 2004, is a java-based tool that RSA conference, it was one of the most dangerous cyber- allows two hosts to communicate routing all traffic through attacks. DNS. Iodine [8], released in 2006, is a cross platform A lot of malware families have been discovered using DNS implementation of IPV4 tunnelling data through DNS server. tunnelling to hide their communication: Morto [6], Feederbot It’s written in C language and run on many environments such [7], etc... Linux, windows and others. DNS2tcp [9] is a network tool able to encapsulate TCP packets over DNS tunnels. It’s written in C and runs on Linux. A. How does it work? OzymanDNS [3] is a tool used to create a SSH tunnel over DNS or for file transfer. Now that we highlighted on the DNS tunnelling technique and tools, detecting DNS tunnels seems to be a challenging task for researchers, as we will show in the next section. III. DNS TUNNELLING DETECTION As mentioned earlier, the most challenging concern in today’s business is to keep ahead with the growing and changing security threats especially the massive rise in threats such “DNS Tunnelling”. DNA tunnelling detection techniques can be grouped, as per Franham [3], into two categories: Payload analysis and traffic analysis. In payload analysis, the analysis will be for one or more requests and responses for tunnel Indicators. The attributes used are: size of request and response, entropy of hostnames, statistical analysis, uncommon record types and policy violation. Figure 1.DNS tunnelling In traffic analysis, multiple requests and responses will be analysed over Time. Traffic attributes used here include among others: volume of DNS per IP address and per domain, As illustrated in [Fig. 1], DNS tunnelling requires a number of hostnames per domain, geographic location of DNS compromised client system to have external network server, domain history. connectivity and a Rogue DNS server controlled by the Recently, as a response toward the DNS tunnelling concern, malicious user that can act as an authoritative server to execute researchers are tending to use Machine Learning Techniques the server-side tunnelling and data payload executable (MLTs) to detect tunnelling. As mentioned earlier, MLTs will programs. After being infected by a malware, the DNS client be highlighted the most and surveyed in this paper. starts issuing recursive DNS queries addressed to a domain name controlled by the threat actor. The local DNS server then C. Machine learning forwards the queries iteratively to authoritative servers which Machine learning is a subfield of artificial intelligence should appear as normal to the local firewall. As shown in used to understand data structure and fit it into models that can Figure 1, sensitive Data “67AC45001DEF34” can be easily be used by people. It allows computers to train on data inputs exfiltrated through the DNS query itself back to the malicious and statistical features. user rogue DNS Server. 64 Machine Learning is mostly used for an efficient tunnelling Van Thuan Do et al. [15] addressed DNS tunnelling detection. It provides a way to define normal behaviour in a detection in mobile networks using machine learning. network, so it can detect anomalies that indicate the presence Two methods have been selected: OCSVM (One Class of DNS tunnels. Several MLTs exist: Support Vector Machine Support Vector Machine) and K-Means. Beside the challenge (SVM), Naïve Bayes (NB), Decision Tree (DT), K-nearest of the small size of DNS dataset, the detection using OCSVM Neighbor (KNN) and others. is superior to the one using K-Means especially that K-means is a cluster classifier that work better when the clusters are D. MLT Used for DNS Tunnel Detection even which is not the case of DNS tunnelling. Different Machine Learning algorithms are used in the field OCSVM with the Radial Basis Function kernel obtained the of data science classified mainly into two categories: The higher and best result with 96% F-measure. Supervised learning and unsupervised learning. The Supervised learning is where instances are given with IV. COMPARING TECHNIQUES known labels and it includes algorithms such logistic and Few papers in the literature addressed methods comparison. linear regression, classification and support vector machine; Nonetheless, a comparative analysis for detecting DNS with the latter one, the instances are unlabelled. A well-known tunnelling using Machine learning techniques was presented algorithm in unsupervised learning is k-means clustering. by Mahmoud Sammour et al. in [16] in order to identify the most accurate classifier. The techniques used are: Support Maurizio Aiello et al. [11] show how basic classifiers of Vector Machine (SVM), Naïve Bayes (NB) and Decision Tree supervised learning are used to detect DNS tunnelling. His (DT). SVM has outperformed the two other classifiers due to approach lies on Bayes classifier exploiting the statistical its high performance in handling multiple numbers of class features of DNS Messages and detecting the presence of labels. The two others have performed approximately the same. malicious data by analysing the entire set of DNS server SVM achieved 83% F-measure, NB 79% and 78% by DT. exchanged information. The performance evaluation shows that the approach is Saeed Shafieian et al. [17] addressed DNS protocol reliable and good results are obtained despite the simplicity of exploitation that causes sensitive data exfiltration via the mechanism. tunnelling. In [12], the same work was enhanced by a monitoring Signature-based intrusion detection isn’t effective. mechanism using the same classifier that looks at statistical Therefore, the authors proposed a technique that employs an features of protocol message, such as packet inter-arrival times ensemble of machine learning algorithms that are different in and of packet sizes instead of focusing on a single one and by nature. The algorithms used are: Random Forests, K-Nearest reducing the classification time. As per the authors claim, the (K-NN) and Multi-layer perception (MLP). approach was reliable, robust and fast for DNS tunnelling detection. Results show the following: Anirban Das et al. [13] addressed DNS tunnelling through a • Ensemble of machine learning classifiers performs robust, end-to-end approach to deploy system for detecting better than single one. malicious DNS activities. • The Ensemble of RF and Multi-layer perceptron have “Logistic Regression” is the model used to detect data near false positive in detecting DNS tunneling. exfiltration with DNS tunnelling and “K-Means” for the • Weight of classifier and the combination rule affect the tunnelling. performance. The 2 machine learning models show high detection and • Adding more classifiers can reduce the performance. small false positive rate: • SVM has outperformed the NB and DT by achieving Logistic regression detects exfiltration with very small false the highest F-measure. positive rate of 0.189% • DNS tunneling detection in Mobile networks using K-means detect Tunnelling with true positive rate of OCSVM is superior to the one using K-Means. 91.68% and false positive rate of 0.40%. • Logistic regression and K-Means are used for data Jingkun liu et al. [14] proposed a mechanism deployed on exfiltration and C&C tunnel detection with low false the recursive DNS using a set of features including: time- positive and high detection rate. interval, request packet size, record type and subdomain • Bayes Classifier of supervised learning can be used as entropy. The mechanism works in an off-line stage using a reliable and fast DNS tunnelling detector. labelled traffic to identify the existence of tunnelled traffic. To compare the binary mechanism, the authors used 3 algorithms: Support Vector Machine (SVM), Logistical regression (LR), and Decision Tree (DT) and the results shows detection accuracy and precision of 99.96%. 65 TABLE 1. MLT CLASSIFICATION algorithms. Results shows reliable DNS tunneling techniques Paper DNS Tunnelling Detection using Bayes, K-means and logistic regression. OCSVM is Method(s) Result better than K-Means and SVM is better than Bayes and DT. Binary classification outperforms SVM, DT and logistic [11] Bayes Classifier - Fast and regression. Machine reliable An ensemble of machine learning classifiers performs better learning-based DNS than single one: RF and Multi-layer perceptron have near-zero Analysis tunnelling false positive. detection. V. CONCLUSIONS [13] Logistic Low false Regression, K- positive In this paper, we surveyed some of DNS tunnelling Means and high detection techniques using machine learning and the detection approaches cover different range of tunnelling detection to rate. better define the scope of research. With this variety, it is a LR: false challenging task to identify the most suitable classifier, which positive would fit the process of detecting DNS tunnelling. Throughout rate this survey, we have shown several challenges for researchers 0.189%. in the field: Results for different machine learning method don't provide the same performance metrics and use different K-Means: false datasets. positive rate 0.40%. REFERENCES [1] RFC 1035, Domain Names - Implementation and Specification, P. Mockapetris, the Internet Society (November 1987) [14] Binary- High [2] Recursive and Iterative DNS Queries. Classification detection http://www.omnisecu.com/tcpip/recursive-and-iterative-dns-queries.php compared with accuracy [3] G. Franham and A. Atlasis, "Detecting DNS Tunneling" SANS institute SVM, DT and InfoSec Reading Room. 2013 Logistic 99.96% [4] UAE Today " Advanced DNS Protection is the need of the hour of Regression Middle East telco operators, in the light of Etisalat website hacking " http://www.uaetoday.com/news_details.asp?newsid=52987 [5] 2017 Report - The global DNS threat Survey [15] One Class OCSVM http://www.infosecurityeurope.com/__novadocuments/445925?v=63655 Support Vector accuracy is 4315770370000 Machine, K- superior to [6] C. Mullaney. Morto worm sets a (DNS) record. Technical report, Means K-Means. Symantec, 2011. http://www.symantec.com/connect/blogs/morto- worm-sets-dns-record. [7] Christian J. Dietrichyz, Christian Rossowz, Felix C. Freilingy, F-Measure Herbert Bos, Maarten van Steen and Norbert Pohlmannz, “On Botnets 99.6% that use DNS for Command and Control”. [8] Maurizio Aiello, Alessio Merlo2, Gianluca Papaleo,” Performance Assessment and Analysis of DNS Tunneling Tools” [16] Support Vector F-measure: [9] Iodine. https://code.kryo.se/iodine/ Machine, Naïve SVM 83% [10] DNS2tcp. https://tools.kali.org/maintaining-access/dns2tcp Bayes, Decision NB 79% [11] Maurizio Aiello, Maurizio Mongelli, Gianluca Papeleo, "Basic Tree (DT). DT 78% Classifiers for DNS tunneling Detection (2013) [12] M. Aiello, M. Mongelli, and G. Papaleo, "DNS Tunneling detection through statistical fingerprints of protocol messages and machine learning". (2014) [17] Random Forests, An [13] Anirban Das, Min-Yi Shen, Madhu Shashanka and Jisheng Wang, K-Nearest, Multi- ensemble "Detection of Exfiltration and tunneling over DNS”. (2017) layer perception. of RF and [14] Jingkun Liu, Shuhao Li, Yongzheng Zhang, Jun Xiao, Peng Chang and Multi-layer Chengwei Peng, "Detecting DNS Tunnel through Binary-Classification perceptron Based on Behavior Features". (2017) [15] Van Thuan Do, Paal Engelstad, Boning Feng, and Thanh Van Do, have near- "Detection of DNS tunneling in Mobile Networks using Machine zero false Learning. (2017) positive [16] Mahmoud Sammour, Burairah Hussin, Mohd Fairuz Iskandar Othman, "comparative Analysis for detecting DNS tunneling Using Machine Learning techniques. (2017) [17] Saeed Shafieian, Daniel Smith, and Mohammad Zulkernine, "Detecting Based on the surveyed works in this paper, Table 1 DNS Tunneling Using Ensemble Learning”. (2017) summarizes and compares the main aspects of each methods. As shown in Table 1, methods tend to use different known 66