search menu icon-carat-right cmu-wordmark

Detecting DNS Tunneling Using Behavioral and Content Metadata Features

February 2023 Presentation
Darin Johnson (Infoblox)

This talk describes new work emphasizing a reduction in false positives when using DNS tunneling to detect and counter.


Software Engineering Institute



This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

DNS Tunneling is a method of encoding information into DNS queries and responses to enable communications between a client and a server. Open source proof of concept examples include Iodine (Schouten) and DNSCat (“iagox86/dnscat2”). Malware can use DNS Tunneling for Command and Control as in recent cases such as DNS Anchor (Dahan) and Saitama (Stockley). Complicating matters are DNS Blocklists which follow or in some cases don’t follow RFC 5782 (“RFC 5782 - DNS Blacklists and Whitelists”) but are used for generally benign use cases. As a potential vector for C2 and exfiltration, DNS tunneling is important for enterprises and the security industry to detect and counter. There is extensive literature using pattern matching, cache misses, and machine learning to detect DNS tunnels.

Infoblox’s previous work in this field included “Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies” (Yu, et al.). In this talk we describe new work emphasizing a reduction in false positives. To achieve this, we introduce several new features, including using the autoencoder reconstruction loss of a DNS query which to our knowledge has not been used in the literature. We do an in-depth analysis of feature importance, show that several features in previous models were redundant, and show the newly added features improve decision performance. We also show that using DNS Block lists as a proxy for a labeled dataset can pick up additional tunnels such as DNSCat and Iodine.