DNS tunneling detection using machine learning and cache miss properties

Abstract

In a DNS Tunneling attack, data or other useful information is embedded within a DNS query and exfiltrated. Such attacks are difficult to detect because DNS is a fundamental protocol and blocking legitimate domain names can lead to an unpleasant experience for the users. Thus, detecting whether the DNS query is exfiltrating data or not is a challenging task. Mimicking genuine queries by the attacker makes this even more difficult. This research work presents two different methods for detecting the DNS Tunneling query and later they are combined to build a DNS Tunneling Attack Detector that can inform the client about a potential attack going on in real time. The first method uses cache misses in a DNS cache server and the second method utilizes machine learning techniques to classify a given DNS query. Overall, with around 93% accuracy of certain Machine Learning classifiers on classifying on a per packet basis along with extra validation from the cache-miss approach, a detector has been developed to accurately report DNS tunneling traffic © 2021 IEEE.