DNS Tunneling: a Review on Features


  • Mahmoud Sammour
  • Burairah Hussin
  • Mohd Fairuz Iskandar Othman
  • Mohamed Doheir
  • Basel AlShaikhdeeb
  • Mohammed Saad Talib






DNS tunneling, payload analysis, traffic analysis, feature extraction


One of the significant threats that faces the web nowadays is the DNS tunneling which is an attack that exploit the domain name protocol in order to bypass security gateways. This would lead to lose critical information which is a disastrous situation for many organizations. Recently, researchers have pay more attention in the machine learning techniques regarding the process of DNS tunneling. Machine learning is significantly impacted by the utilized features. However, the lack of benchmarking standard dataset for DNS tunneling, researchers have captured the features of DNS tunneling using different techniques. This paper aims to present a review on the features used for the DNS tunneling. 


[1] Basel Alshaikhdeeb and Kamsuriah Ahmad, "Integrating correlation clustering and agglomerative hierarchical clustering for holistic schema matching," Journal of Computer Science, vol. 11, p. 484, 2015.

[2] Pure Hacking, "Reverse DNS Tunneling–Staged Loading Shellcode," Ty Miller, Blackhat, 2008.

[1] M. H. Ali, M. F. Zolkipli, M. M. Jaber, and M. A. Mohammed, “Intrusion detection system based on machine learning in cloud computing,†J. Eng. Appl. Sci., vol. 12, no. 16, 2017.

[2] M. H. Ali, M. F. Zolkipli, M. A. Mohammed, and M. M. Jaber, “Enhance of extreme learning machine-genetic algorithm hybrid based on intrusion detection system,†J. Eng. Appl. Sci., vol. 12, no. 16, 2017.

[5] Kenton Born and David Gustafson, "Detecting dns tunnels using character frequency analysis," arXiv preprint arXiv:1004.4358, 2010.

[6] R Rasmussen, "Do you know what your dns resolver is doing right now," Security Week. DOI= http://www. securityweek. com/do-you-know-what-your-dnsresolver-doing-right-now, 2012.

[7] M Haroon, "Squeeza: Sql injection without the pain of syringes," ed, 2007.

[8] CJ Dietrich, "Feederbot-a bot using DNS as carrier for its C&C," ed, 2011.

[9] C Mullaney, "Morto worm sets a (DNS) record," Symantec Official Blog, 2011.

[10] Maurizio Dusi, Manuel Crotti, Francesco Gringoli, and Luca Salgarelli, "Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting," Computer Networks, vol. 53, pp. 81-97, 2009.

[11] Basel Alshaikhdeeb and Kamsuriah Ahmad, "Biomedical Named Entity Recognition: A Review," International Journal on Advanced Science, Engineering and Information Technology, vol. 6, 2016.

[12] Patrick Butler, Kui Xu, and Danfeng Yao, "Quantitatively analyzing stealthy communication channels," in Applied Cryptography and Network Security, 2011, pp. 238-254.doi.

[13] Irvin Homem, Panagiotis Papapetrou, and Spyridon Dosis, "Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels," 2016.

[14] Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi, "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis," in Ndss, 2011.

[15] T Pietraszek, "DNSCat," ed, 2004.

[16] Maarten Van Horenbeeck, "Dns tunneling," online], http://www. daemon. be/maarten/dnstunnel. html, 2006.

[17] Ron Aitchison, Pro Dns and BIND 10: Apress, 2011.

[18] Ed Skoudis, "The six most dangerous new attack techniques and what’s coming next," in RSA Conference (RSA’12), 2012.

[19] Manos Antonakakis, Jeremy Demar, Christopher Elisan, and John Jerrim, "Dgas and cyber-criminals: A case study," ed: Tech. rep., Damballa, 2012.

[20] J Guy, "DNS part ii: visualization, 13 February 2009," ed.

[21] E. Cambiaso, M. Aiello, M. Mongelli, and G. Papaleo, "Feature transformation and Mutual Information for DNS tunneling analysis," in 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), 2016, pp. 957-959.doi:10.1109/ICUFN.2016.7536939.

[22] Maurizio Dusi, Manuel Crotti, Francesco Gringoli, and Luca Salgarelli, "Detection of encrypted tunnels across network boundaries," in Communications, 2008. ICC'08. IEEE International Conference on, 2008, pp. 1738-1744.doi.

[23] Fabien Allard, Renaud Dubois, Paul Gompel, and Mathieu Morel, "Tunneling activities detection using machine learning techniques," DTIC Document2010.

[24] M. Aiello, M. Mongelli, and G. Papaleo, "Basic classifiers for DNS tunneling detection," in 2013 IEEE Symposium on Computers and Communications (ISCC), 2013, pp. 000880-000885.doi:10.1109/ISCC.2013.6755060.

[25] Maurizio Aiello, Maurizio Mongelli, and Gianluca Papaleo, "DNS tunneling detection through statistical fingerprints of protocol messages and machine learning," International Journal of Communication Systems, vol. 28, pp. 1987-2002, 2015.

[26] Anna L Buczak, Paul A Hanke, George J Cancro, Michael K Toma, Lanier A Watkins, and Jeffrey S Chavis, "Detection of Tunnels in PCAP Data by Random Forests," in Proceedings of the 11th Annual Cyber and Information Security Research Conference, 2016, p. 16.doi.

[27] Maurizio Aiello, Maurizio Mongelli, Enrico Cambiaso, and Gianluca Papaleo, "Profiling DNS tunneling attacks with PCA and mutual information," Logic Journal of IGPL, p. jzw056, 2016.

[28] Paal Engelstad Van Thuan Do, Boning Feng, and Thanh van Do, "Detection of DNS Tunneling in Mobile Networks Using Machine Learning," Information Science and Applications 2017: ICISA 2017, vol. 424, p. 221, 2017.

View Full Article: