Consiglio Nazionale delle Ricerche

Tipo di prodottoArticolo in rivista
TitoloPerformance assessment and analysis of DNS tunneling tools
Anno di pubblicazione2012
Autore/iM. Aiello; A. Merlo; G. Papaleo
Affiliazioni autoriIEIIT- UOS di Genova
Autori CNR e affiliazioni
  • inglese
AbstractDNS tunnels are built by proper tools that allow embedding data on DNS queries and responses. Each tool has its own strategies that affect the network performance in a unique way. In this article, we propose an architectural analysis of the current state-of-the-art of DNS tunneling tools. Then, we provide a comparative evaluation of such tools in term of performance, as a first step towards the possibility to relate each tool with a specific pattern of the DNS traffic. To this aim, we define an assessment of the tools in three different network configurations based on three performance metrics. We finally analyse the testing results and provide a first characterization of the performance of each tool.
Lingua abstractinglese
Altro abstract-
Lingua altro abstract-
Pagine da-
Pagine a-
Pagine totali-
RivistaLogic journal of the IGPL (Online)
Attiva dal 1997
Editore: Oxford University Press, - Oxford
Paese di pubblicazione: Regno Unito
Lingua: inglese
ISSN: 1368-9894
Titolo chiave: Logic journal of the IGPL (Online)
Titolo proprio: Logic journal of the IGPL (Online)
Titolo abbreviato: Log. j. IGPL (Online)
Numero volume della rivista-
Fascicolo della rivista-
Verificato da refereeSì: Internazionale
Stato della pubblicazione-
Indicizzazione (in banche dati controllate)
  • ISI Web of Science (WOS) (Codice:WOS:000263821600022)
Parole chiave-
Link (URL, URI)-
Titolo parallelo-
Data di accettazione-
Note/Altre informazioniIn the last years, the spread of wired and wireless connectivity has taken organizations to the adoption of mechanisms (e.g. firewalls, captive portals) aimed at controlling the user's access to Internet. In general, such mechanisms act as filters for some network protocols (e.g. HTTP, FTP) while they often allow the transit of service protocols (DNS, ICMP) and are not generally able to filter ciphered ones (e.g. HTTPS, Skype). In this context, a straight way to overcome the restrictions of firewalls is to embed data of filtered protocols inside packets of service or ciphered protocols. To this regard, many research activities [1-3] have been focused on hiding data into various network protocols like IPv4, IPv6, TCP, ICMP, HTTP and HTTPS, building the so-called covert channels. At present, a particularly interesting covert channel is the DNS tunnel, since DNS protocol is seldom filtered by security mechanisms of organizations. For instance, when dealing with a captive portal, if an unauthenticated user tries to connect to an external site, the captive portal solves the DNS query before requesting credentials to the user, thus delivering DNS traffic on Internet. Therefore, each user within the network can produce DNS traffic to reach a destination over the Internet, long before being authenticated or recognized by the system. *E-mail: +E-mail:; ?E-mail: © The Author 2012. Published by Oxford University Press. All rights reserved. For Permissions, please email: doi:10.1093/jigpal/jzs029 2 Performance Assessment and Analysis of DNS Tunneling Tools FIG. 1. Entities involved in a DNS Tunnel. The potential use of DNS queries as covert channels had taken to the development of proper DNS tunneling tools aimed at hiding information inside the DNS requests/responses, using a customized client on the user machine, and a colluded DNS server outside the organization in a destination domain. A DNS tunneling tool embeds data in DNS queries and delivers DNS requests and responses between the tunneled client and a rogue DNS server, exchanging data through proper fields of DNS packets. The rogue server forwards the received data to another destination host (Figure 1). Each DNS tunneling tool adopts its own strategies in order to build tunnels between the host and the rogue server, resulting in covert channels that can show heterogeneous characteristics, and have different impact on the performance of network and honest DNS servers. Therefore, the possibility to correlate some specific performance patterns to a given tool would be useful in detection systems (e.g. IDS) for recognizing DNS tunnels built with such tools. To the best of our knowledge, a comprehensive and deep performance evaluation of all the current state-of-the-art in DNS tunneling tools has not been made. The aim of this article is to propose a first attempt to compare distinct DNS tunneling tools by characterizing their performance and the impact they have on the network. The article is organized as follows: Section 2 points out the related works on convert channels and, in particular, on DNS tunnels; Section 3 provides an introduction to current DNS tunneling tools. Section 4 introduces the testing network architecture, the network scenarios (i.e. proper con- figurations of the general architecture) and the metrics we used in our tests. Section 5 provides the analysis of the results and a characterization of each tool in term of network performance. Finally, Section 6 concludes the article.
Strutture CNR
  • IEIIT — IEIIT - Sede secondaria di Genova
Moduli/Attività/Sottoprogetti CNR
  • INT.P01.004.001 : Rilevazione e controllo di anomalie mediante analisi comportamentale
Progetti Europei-
Performance assessment and analysis of DNS tunneling tools (documento privato )
Tipo documento: application/pdf