Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:
1: DNS Tunneling attack - What is it, and how to protect ourselves?
2: What Is DNS Tunneling? - Palo Alto Networks
3: What Are DNS Attacks? - Palo Alto Networks
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit