DNS tunneling Detection Using Elasticsearch

Domain Name System (DNS) Protocol is a popular medium used by malware to perform ‘command and control’ in taking over victim’s computer, this technique called as DNS tunneling. Moreover, DNS tunneling can also be used to bypass captive portal hotspot in public places and worsen the network quality. However, in more dangerous stage, DNS tunneling can also be used to exfiltrate data from the victim’s computer. Instead of using DNS Protocol to translate domain name, the medium misused to bootleg the data. Those are the weaknesses which frequently used by the attacker to deceive network administrator. Our approach to this problem is analyzing the traffic using unique hostname as indicator of compromise and utilizing Elasticsearch tool to detect DNS tunneling. Elasticsearch will send an email to notify the administrator about DNS tunneling. The email contains information about domain suspected as perpetrator of DNS tunneling. The result from Elasticsearch can be used to add the domain blacklist, so the domain can no longer be used to perform DNS tunneling. Hopefully those combinations are able to support the network administrator to secure the network from DNS tunneling. Moreover, the result of network quality analysis shows that there is a rise in jitter value and packet lost when DNS tunneling happens.


Introduction
Recently, Internet Security Researchers found a malware diversified as Remote Access Trojan. This kind of malware uses a new technique which is hard to detect by the Network Administrator. Those malware does 'command and control' and takes over the victim's computer through DNS Protocol, this kind of malware called DNSMessenger [1]. 'Command and Control' or sending data through DNS Protocol called DNS tunneling or DNS ex-filtration. Besides doing 'command and control', the malware uses DNS tunneling to bypass the captive portal or login hotspot in public places [2]. However, data thievery through DNS Protocol considers being more dangerous than bypassing captive portal. The malware could ex-filtrate various data, such as classified trade data, intellectual property, employee data, customer data, and many others. DNS tunneling requires software installed on the victim's computer to work. If the software installed, the attacker can easily bypass the firewall and security system of the victim.
DNS tunneling can also worsen network quality. The research concluded that using DNS tunneling can increase the delay of the entire network up to 140-1500 ms, jitter until 8-57 ms, and DNS Overhead 200-2000% [3]. We can imply that; a client on the network is making a VOIP call or video call, the high jitter causes a voice and video transmission cannot run smoothly, the high delay causes a slight or minor delay to the voice and video. DNS Overhead causes an increase in data package size and resulting in ICET4SD IOP Conf. Series: Materials Science and Engineering 722 (2020) 012064 IOP Publishing doi:10.1088/1757-899X/722/1/012064 2 higher using of bandwidth. To experience the best quality of the network, Cisco recommends we set the jitter below 30 ms and delay less than 150 ms [4].
Network Administrator usually does not give extra attention to the DNS traffic. DNS Protocol is a protocol uses to translate IP Address into a domain name, with the result that we can access a computer or server using the name without remembering the IP Address of the computer or server. With that common sense, the Administrator is forgetting about the fact that DNS Protocol also can be used to exchange data. That flaw uses by the attacker to 'Command and Control' or steal data using DNS tunneling.
Therefore, DNS traffic in a network should be monitored to prevent DNS tunneling. Actually, the Administrator able to block all DNS traffic to prevent tunneling. However, that is not the ideal solution, because that method will also block the user to access host address. Another approach is using DNS Sinkhole [5]. DNS Sinkhole is a DNS server which able to give wrong IP address (spoofing) from DNS request, so the destined domain can no longer be accessed. This condition can be used to prevent malware or DNS tunnel from contacting the server.
DNS Sinkhole is using a domain list to be blocked. We can manually make the list or download it from website such as; urlblacklist.com, malwaredomain.com, and etc. To obtain the domain suspected doing DNS tunneling is necessary to monitor and log all DNS traffic in the network. Those logs can be obtained from many resources, such as DNS server, Intruder Detection System (IDS), proxy, and computer log. To detect DNS tunneling from the log, analysis should be done manually using capture analyzer packet, such as Wireshark. This kind of approach considered hard to do and take times, especially if we want to visualize the result, we need another tool. Another approach is using Payload Analysis Method and traffic analysis [2]. Payload analysis able to detect certain DNS tunneling, while traffic analysis able to detect DNS tunneling universally.
Traffic analysis is the approach we use to resolve the issues we stated before. We use traffic analysis with the amount of unique hostname as an indicator of compromise using Elasticsearch. Elasticsearch has components which can be used in this research, such as Packetbeats, Kibana, and Watcher. Packetbeats is a real-time sniffer which will capture the traffic DNS, Watcher will give an email notification when DNS tunneling happened, and Kibana is a panel of visualization which will show a graphic bar of domain names which have the most unique hostname. That combination hopefully helps the administrator to secure and monitor the network.

Literature Review
DNS tunneling is a technique to bypass the security control and to infiltrate or ex-filtrate data from a target. This technique is still used because DNS usually do not monitor well. The practitioner blindly trusted DNS is secure [6]. Popular tools to perform DNS tunneling are Iodine [7] and Dnscat2 [8]. Iodine is an app which able to create a tunnel interface between client and server, all the traffic can be passed up through the tunnel. On the other hand, Dnscat2 used for performs 'command and control' between client and server. Both apps can bypass the security control of a network.
DNS has a caching mechanism to accelerate the response from DNS query, therefore, all DNS Tunnel program will create random and long hostname string (unique hostname), so that DNS cannot cache the tunnel and the data thievery become possible.
DNS tunneling detection methods divided into two, which is, payload analysis and traffic analysis. Payload Analysis can only detect certain DNS tunneling, while Traffic Analysis can detect DNS tunneling universally. Farnham [2] tries to detect DNS tunneling using Traffic analysis making unique hostname as an indicator of compromise. The normal amounts of unique hostnames are below 300, after conducting DNS tunneling the amount of unique hostname rapidly increase until 700 [2].
A tool which can be used to detect DNS tunneling with traffic analysis method is Elasticsearch. Elasticsearch is a search engine which builds the base on Apache Lucene and opensource product which also developed with Java. Elasticsearch can conduct a real-time and distributed analysis and also able to ICET4SD IOP Conf. Series: Materials Science and Engineering 722 (2020) 012064 IOP Publishing doi:10.1088/1757-899X/722/1/012064 3 do multiple searching mechanism. Elasticsearch can manage various kinds of logs, such as operating system log, web server, log traffic, app log, and Amazon Web Service Log [9].

Research Methodology
To support this research, the researcher will build a lab in a virtual neighborhood so that easier and cheaper to maintain. Though only in a virtual neighborhood, the condition already represents the real condition in a real network. The researcher will use a computer with Quad-Core processor, RAM 8GB, and SSD 128GB. The host run Ubuntu 19.10 and using VirtualBox with Hypervisor KVM as the virtualization software.
In the VirtualBox will be built a virtual machine. The virtual machine will run Elasticsearch. The Virtual machine will run with the specification of 2 virtual core, 4GB RAM, network mode bridge, and run CentOS 7. For the tunneling server, the researcher using a VPS with CentOS7, RAM 1GB, one virtual core CPU. Iodine and DNScat2 used as DNS tunneling software. The researcher uses Mikrotik RB750 as the router. The router will be used as a gateway and firewall. For the client, the researcher will use Windows 10 and Ubuntu 19.10.
The topology used by the researcher can be seen in an image below. That topology was chosen because it represents the real condition of a network. One of the computer clients will be the DNS tunnel client which call the DNS tunnel server. The router will be set to do mirroring port to Elasticsearch server, with that scheme, all the traffic can be read by Elasticsearch to run the inspection. Log aggregation and simulation. Log aggregation will be done by Elasticsearch using a plug-in. The plug-in will capture a packet called Packetbeat in real-time. So the data used is adequate, DNS Grind from Pentestmonkey is used to generate traffic simulation [10].
DNS tunnel server Iodine and DNScat2 will run the services in DNS tunnel server. The client will also run the DNS tunnel client which will contact the DNS tunnel server. On the first experiment, the client will browse uses DNS tunnel, this experiment intends to create DNS tunnel log. Elasticsearch will run the job which will detect DNS tunnel from the collected log. Visualization of the result will be seen on Kibana Dashboard. Elasticsearch will detect and count the amount of unique hostname, domain with the largest amounts of unique hostname will detect as an anomaly. To get the best result, we need more or less 48 hours.

3.2.
Detection and analysis In this stage, an analysis will be conducted to find out whether Elasticsearch able to detect DNS tunneling or not. The method applied is Traffic Analysis. Each communication on DNS tunneling will create a new hostname, the normal average amount of unique hostname is below 300 [2], because of that, the more unique hostname indicates DNS tunneling is happening. All logs captured by Packetbeat will be processed with a custom script by the Watcher. After that, Watcher counts the amount of unique

Results
Mikrotik router will do a port mirroring to duplicate packets from DNS server to Elasticsearch server. The Elasticsearch server will run Packetbeat app to sniff the DNS packet. A Laptop will be prepared to run the DNS tunneling to the server. Watcher will find cardinality from the hostname of each domain and come out with the amount of unique hostname. Here is a graphic from Kibana dashboard shows the amount of unique hostname for 15 minutes without DNS tunneling. Figure 3 shows the amount of unique hostname in normal situation is below 100. In this research we use Iodine, Dnscat2, and malware DNSExfiltrator. We choose those tools because already represent several methods in DNS tunneling.

4.1.
Tunneling using Iodine In this first experiment, we use Iodine to perform DNS tunnel. We try to browse through DNS tunnel. The domain name which the researcher uses as DNS tunnel server is sanisa.xyz. When the tunnelling runs for 3 minutes, the amounts of unique hostname on that domain spike up until 700.

4.2.
Tunneling using dnscat2 In the next experiment, we use Dnscat2 to perform 'command and control' on domain sanisa.xyz.

4.3.
Tunneling using malware In this experiment, the researcher using a malware called DNSExfiltrator. That malware listed in virustotal.com with hash value: "ed937bcd5dc05f1021aa83afdb47af266083ef47228e23a32292bad577c53191". This malware can send a file through DNS protocol. On the side of the server, this malware uses python language, but on the side of the client (the victim), we use powershell windows. On this trial, we send a file with a name "data.pdf" file size: 685KB to the server with domain t4.sanisa.xyz. To assure that Elasticsearch successfully detect DNS tunneling, during the process of tunneling we do capture packet using Wireshark.  To analyze the DNS traffic using wireshark, the researcher use filter "dns.qry.name.len > 30 and !mdns" which means, DNS query filter with the amount of subdomain/hostname more than 30 and is not multicast DNS. The filtering result shows there are long query with encoding base64 on domain sanisa.xyz. In the study from Leijenhorst [3], DNS tunneling can also worsen the network quality [3]. Therefore, in this research we also analyzing jitter value and packet loss in the UDP protocol. We would like to find out the effect of DNS tunneling to the network. We created two tests, the first one was client that had DNS tunneling, and the second one was normal client without DNS tunneling. Both clients run in one network. In this experiment we use iperf3. And the result is shown below: From the experiments we can conclude that there is a rise of jitter value and packet loss. The rise happens significantly on the client who did DNS tunneling. On the other client who did not perform DNS tunneling, the rise still happen but not significant, still acceptable according to Cisco recommendation [4].

4.4.
Notification to the Administrator When the unique hostname more than 300 and the domain are not in the whitelist, the watcher will be triggered and send an email notification about suspicious activities which indicated DNS tunneling. An email notification is sent to Administrator, with the contents:

Conclusions and Recommendations
In our experiments, we conducted our simulation with Iodine, dnscat2, and executing DNSExfiltrator malware. We can conclude that traffic analysis in a way of counting unique hostname as an indicator of DNS tunneling with Elasticsearch is successfully detecting the DNS tunneling and able to notify the administrator about the attacker. The output from the detection can add up the list of blacklisted domains. On top of that, on the network quality analysis, DNS tunneling can increase jitter value and packet loss on the network but not significant and still acceptable.