International Journal of Sensors, Wireless Communications and Control | 2021
Building a DNS Tunneling Dataset
Abstract
\n\nDomain Name System (DNS) is considered the phone book of the Internet.\nIts main goal is to translate a domain name to an IP address that the computer can understand. However,\nDNS can be vulnerable to various kinds of attacks, such as DNS poisoning attacks and DNS\ntunneling attacks.\n\n\n\nThe main objective of this paper was to allow researchers to identify DNS tunnel traffic using\nmachine-learning algorithms. Training machine-learning algorithms to detect DNS tunnel traffic\nand determine which protocol was used will help the community to speed up the process of detecting\nsuch attacks.\n\n\n\nIn this paper, we considered the DNS tunneling attack. In addition, we discussed how attackers\ncan exploit this protocol to infiltrate data breaches from the network. The attack starts by encoding\ndata inside the DNS queries to the outside of the network. The malicious DNS server will receive\na small chunk of data decoding the payload and put it together at the server. The main concern is\nthat the DNS is a fundamental service that is not usually blocked by a firewall and receives less attention\nfrom systems administrators due to a vast amount of traffic.\n\n\n\nThis paper investigates how this type of attack happens using the DNS tunneling tool by setting\nup an environment consisting of compromised DNS servers and compromised hosts with the Iodine\ntool installed in both machines. The generated dataset contains the traffic of HTTP, HTTPS,\nSSH, SFTP, and POP3 protocols over the DNS. No features were removed from the dataset so that researchers\ncould utilize all features in the dataset.\n\n\n\nDNS tunneling remains a critical attack that needs more attention to address. DNS tunneled\nenvironment allows us to understand how such an attack happens. We built the appropriate dataset\nby simulating various attack scenarios using different protocols. The created dataset contains\nPCAP, JSON, and CSV files to allow researchers to use different methods to detect tunnel traffic.\n