DNS tunneling Detection Using Elasticsearch

Abstract

Domain Name System (DNS) Protocol is a popular medium used by malware to perform 'command and control' in taking over victim's computer, this technique called as DNS tunneling. Moreover, DNS tunneling can also be used to bypass captive portal hotspot in public places and worsen the network quality. However, in more dangerous stage, DNS tunneling can also be used to exfiltrate data from the victim's computer. Instead of using DNS Protocol to translate domain name, the medium misused to bootleg the data. Those are the weaknesses which frequently used by the attacker to deceive network administrator. Our approach to this problem is analyzing the traffic using unique hostname as indicator of compromise and utilizing Elasticsearch tool to detect DNS tunneling. Elasticsearch will send an email to notify the administrator about DNS tunneling. The email contains information about domain suspected as perpetrator of DNS tunneling. The result from Elasticsearch can be used to add the domain blacklist, so the domain can no longer be used to perform DNS tunneling. Hopefully those combinations are able to support the network administrator to secure the network from DNS tunneling. Moreover, the result of network quality analysis shows that there is a rise in jitter value and packet lost when DNS tunneling happens.