DNS tunneling may help you to bypass a firewall if DNS requests are allowed. Or, it can just get you a free Wi-Fi. There are a number standalone tools which allow you to setup a TCP-over-DNS tunnel. Here is a simple implementation of DNS tunneling with pure Java. It’s not ready for using in real world, but it shows an idea how DNS tunneling can be implemented. The implementation works with standard JRE, and doesn’t require any additional library.

What is DNS tunneling?

The purpose of DNS (Domain Name System) protocol is to convert a domain name to an IP address. DNS requests are usually recursive. In other words, if a DNS server doesn’t know how it can resolve a domain name, it can send a request to other DNS servers. Let’s assume that you are in a private network which has a firewall that blocks all connections to the Internet. Or, you just connected to a Wi-Fi spot which doesn’t allow you to connect to the Internet either. Another possible situation is that we were able to deliver an exploit (for example, it may be a Java applet) to some computer in a private network. The exploit gives us an access to some machine in the internal network, but we can’t establish a usual TCP connection to it because of a corporate firewall. If the firewall blocks usual TCP/UDP connections to machines outside the private network, but allows DNS requests, then it may be possible to establish a DNS tunnel which allows to transfer data outside the private network.

Implementation of DNS tunneling with Java

Standard JRE supports DNS protocol out of the box, and doesn’t require any other third-party library. More precisely, it’s part of JNDI (Java Naming and Directory Interface). In other words, if an attacker could deliver a Java applet on a target machine, then the chance to successfully setup a DNS tunnel is quite big (well, now it may not be that easy to make a victim run a malicious applet with new Java versions than it used to be before).

  1. DNSTunnelClient.java is a client which should be delivered to the victim’s machine. The client runs a DNS client which is based on JNDI. It sends requests to the malicious DNS server (through an internal DNS server). DNS requests contain data which need to be delivered to the attacker (for example, it may be user’s confidential data, or results of commands executed on user’s machine). DNS responses contain commands from attacker which should be executed on victim’s machine.
  2. Payload.java is an applet which needs to be delivered to victim’s machine. The applet starts a DNSTunnelClient.
  3. CrockfordBase32.java implements BASE32 encoding and decoding.
  4. Command.java just runs a command with ProcessBuilder API.
  5. Server.java is a simple telnet server which listens on a port, waits for commands, and run them. Payload applet can be configured to run this server. It’s not related to DNS tunneling, but was used for experiments with ProcessBuilder API.
  6. SimpleHttpServer is a simple HTTP server which can host Payload applet (see also index.html file).
  1. compile.sh compiles sources.
  2. gen.sh packs compiled classes to a jar file, creates a self-signed certificate, and finally signs the jar file with this certificate.
  3. run_http.sh just starts a SimpleHttpServer

DNS tunnel testing

I used a couple of VMs for testing:

  1. Then, I started one VM (let’s call it ‘attacker’ machine), and I ran a DNSTunnelServer instance there. This DNSTunnelServer is a DNS server for ‘attacker.com’ domain, and also accepts commands to run on ‘victim’ machine
  2. Next, I started a SimpleHttpServer instance on ‘attacker’ machine. This HTTP server just contains a malicious applet (Payload.jar) on http://attacker.com/index.html
  3. Finally, I started another VM (let’s call it ‘victim’ machine), opened a Web-browser there, and loaded http://attacker.com/index.html

I write about Java, security, electronics and DIY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store