FQDN similarity and cache-miss property based DNS tunneling detection technique

Abstract

Although there are many effective methods to detect DNS Tunneling attacks, the attacks still happen, and the attackers can mock genuine queries to bypass such checks. However, in data exfiltration, the DNS queries are continuously changing as some part of it represents the data itself. Thus, all such queries would result in a cache miss, and therefore we can use such properties to detect DNS Tunneling attacks. However, relying on this is not enough as it will also have many false positives. To overcome the problem, we propose three criteria-based methods that consider DNS Tunneling queries’ properties and use them to reduce the number of false positives and thus accurately detect DNS Tunneling traffic. We even discussed the bypassing checks in this paper, and they are both costly and require the attacker to make redundant queries. © Grenze Scientific Society, 2021.