Abstract

DNS is often used by attackers as a covert channel for data exfiltration, also known as DNS tunneling. Since the plaintext DNS lookup leads to privacy issues, DNS over HTTPS (DoH) has recently been standardized and deployed. DoH encapsulates DNS in HTTPS to encrypt DNS traffic between clients and recursive resolvers. Attackers can also use DoH for subtle data exfiltration. However, existing DNS tunneling detection methods for plaintext DNS are usually ineffective for DoH tunneling. In this paper, we propose a method to detect DoH-based data exfiltration. We analyze TLS fingerprints of DoH clients and build classifiers with flow-based features to detect DoH tunneling. Our experiment discusses the influence of various factors on the detection results in detail, including adversarial considerations by exploring the potential evasion. Experimental results demonstrate that the proposed method is effective, and it is very difficult to evade detection due to the difficulty of feature imitation. Besides, our method can still provide the defender with helpful information for attack investigation even if the attacker evades detection.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.