DNS Tunneling Dataset

Introduction

This repository documents a DNS tunneling scenario written in DACA configuration language and the generated datasets it creates. Samples can be used for detection tuning or for educational purposes.

This dataset was created as part of Master thesis work at TalTech.

To reproduce the generated datasets, follow these instructions:

# 1. Install Vagrant and VirtualBox

# 2. Install Vagrant modules
vagrant plugin install vagrant-vbguest
vagrant plugin install vagrant-scp

# 3A Start and stop the VMs of a single dataset, data collection will follow automatically.
cd directory/with/Vagrantfile
vagrant up
vagrant halt

# 3B Alternatively generate and run and recreate all datasets in the scenario.
pip3 install pipenv
git clone git@github.com:Korving-F/DACA.git
cd DACA
pipenv install

python3 daca.py run -d data/ --path /path/to/scenario_file.yaml

MITRE ATT&CK

Scenario

Used DNS Tunneling software: IODINE / DNS2TCP / DNSCAT

Used DNS Servers: BIND 9 / CoreDNS / Dnsmasq / PowerDNS

Consume Datasets

Collected data within this repository comes in a variety of formats:

.log - Flatfiles containing query logs as produced by the DNS Server.
.json - Same flatfiles but then relayed by Filebeat. This allows for post-hoc ingestion into an elasticsearch cluster.
.cast - asciinema recordings of attacker's perspective. Replay by issuing: asciinema play *.cast.
.pcap - Standard packet capture looking at traffic on port 53.

Architecture

Fig 1: DNS Tunnel high-level overview. Encoded/encrypted DNS queries establish a communications channel.

Fig 2: Overview on how the DNS Tunnels are simulated and allow for C2 / data transfers.

Fig 3: Runthrough of the VM Creation, Provisioning, Data Generation and Acquisition process using IaC / DevOps tooling.

Datasets

File transfer over DNS Tunnel

IODINE

DNS SERVER	AUTOMATION LEVEL	DNS RECORD TYPE	ENCODING	PASSPHRASE	LINK	DATA LINK
BIND9	Fully Automated	CNAME	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	CNAME	RAW	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	CNAME	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	CNAME	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	MX	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	MX	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	MX	RAW	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	MX	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	NULL	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	NULL	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	NULL	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	NULL	RAW	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	PRIVATE	RAW	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	PRIVATE	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	PRIVATE	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	PRIVATE	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	SRV	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	SRV	RAW	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	SRV	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	SRV	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	BASE32	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	BASE64	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	BASE128	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	CNAME	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	CNAME	BASE64	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	CNAME	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	CNAME	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	MX	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	MX	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	MX	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	MX	BASE64	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	NULL	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	NULL	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	NULL	BASE64	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	NULL	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	PRIVATE	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	PRIVATE	BASE64	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	PRIVATE	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	PRIVATE	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	SRV	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	SRV	BASE64	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	SRV	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	SRV	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	RAW	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	BASE32	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	BASE128	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	CNAME	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	CNAME	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	CNAME	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	CNAME	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	MX	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	MX	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	MX	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	MX	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	NULL	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	NULL	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	NULL	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	NULL	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	PRIVATE	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	PRIVATE	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	PRIVATE	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	PRIVATE	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	SRV	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	SRV	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	SRV	BASE64	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	SRV	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	BASE32	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	BASE128	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	RAW	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	CNAME	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	CNAME	BASE32	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	CNAME	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	CNAME	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	MX	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	MX	BASE32	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	MX	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	MX	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	NULL	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	NULL	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	NULL	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	NULL	BASE32	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	PRIVATE	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	PRIVATE	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	PRIVATE	BASE32	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	PRIVATE	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	SRV	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	SRV	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	SRV	BASE32	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	SRV	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	BASE64	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	BASE128	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	RAW	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	BASE32	0xDEADBEEF	Scenario files	Data files

DNS2TCP

DNS SERVER	AUTOMATION LEVEL	DNS RECORD TYPE	COMPRESSION	PASSPHRASE	LINK	DATA LINK
BIND9	Fully Automated	KEY	YES	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	KEY	NO	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	YES	0xDEADBEEF	Scenario files	Data files
BIND9	Fully Automated	TXT	NO	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	KEY	YES	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	KEY	NO	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	YES	0xDEADBEEF	Scenario files	Data files
COREDNS	Fully Automated	TXT	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	KEY	YES	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	KEY	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Fully Automated	TXT	YES	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	KEY	NO	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	KEY	YES	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	NO	0xDEADBEEF	Scenario files	Data files
POWERDNS	Fully Automated	TXT	YES	0xDEADBEEF	Scenario files	Data files

DNSCAT

DNS SERVER	AUTOMATION LEVEL	DNS RECORD TYPE	LINK	DATA LINK
BIND9	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
COREDNS	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
DNSMASQ	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
POWERDNS	Partly Manual	TXT,CNAME,MX	Scenario files	Data files

C2 over DNS Tunnel

DNS2TCP

DNS SERVER	AUTOMATION LEVEL	DNS RECORD TYPE	COMPRESSION	PASSPHRASE	LINK	DATA LINK
BIND9	Partly Manual	KEY	NO	0xDEADBEEF	Scenario files	Data files
BIND9	Partly Manual	KEY	YES	0xDEADBEEF	Scenario files	Data files
BIND9	Partly Manual	TXT	YES	0xDEADBEEF	Scenario files	Data files
BIND9	Partly Manual	TXT	NO	0xDEADBEEF	Scenario files	Data files
COREDNS	Partly Manual	KEY	YES	0xDEADBEEF	Scenario files	Data files
COREDNS	Partly Manual	KEY	NO	0xDEADBEEF	Scenario files	Data files
COREDNS	Partly Manual	TXT	YES	0xDEADBEEF	Scenario files	Data files
COREDNS	Partly Manual	TXT	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Partly Manual	KEY	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Partly Manual	KEY	YES	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Partly Manual	TXT	NO	0xDEADBEEF	Scenario files	Data files
DNSMASQ	Partly Manual	TXT	YES	0xDEADBEEF	Scenario files	Data files
POWERDNS	Partly Manual	KEY	YES	0xDEADBEEF	Scenario files	Data files
POWERDNS	Partly Manual	KEY	NO	0xDEADBEEF	Scenario files	Data files
POWERDNS	Partly Manual	TXT	NO	0xDEADBEEF	Scenario files	Data files
POWERDNS	Partly Manual	TXT	YES	0xDEADBEEF	Scenario files	Data files

DNSCAT

DNS SERVER	AUTOMATION LEVEL	DNS RECORD TYPE	LINK	DATA LINK
BIND9	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
COREDNS	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
DNSMASQ	Partly Manual	TXT,CNAME,MX	Scenario files	Data files
POWERDNS	Partly Manual	TXT,CNAME,MX	Scenario files	Data files

License

DACA is licensed under the MIT license.
Copyright © 2022, Frank Korving

Name		Name	Last commit message	Last commit date
Latest commit History 21 Commits
dns_tunnel_c2		dns_tunnel_c2
dns_tunnel_file_transfer		dns_tunnel_file_transfer
images		images
scenario/dns_tunnel		scenario/dns_tunnel
.gitignore		.gitignore
README.md		README.md
compress_dirs.bash		compress_dirs.bash
generate_report.py		generate_report.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

DNS Tunneling Dataset

Table of Contents

Introduction

MITRE ATT&CK

Scenario

Consume Datasets

Architecture

Datasets

File transfer over DNS Tunnel

IODINE

DNS2TCP

DNSCAT

C2 over DNS Tunnel

DNS2TCP

DNSCAT

License

About

Releases 1

Packages

Languages

Korving-F/dns-tunnel-dataset

Folders and files

Latest commit

History

Repository files navigation

DNS Tunneling Dataset

Table of Contents

Introduction

MITRE ATT&CK

Scenario

Consume Datasets

Architecture

Datasets

File transfer over DNS Tunnel

IODINE

DNS2TCP

DNSCAT

C2 over DNS Tunnel

DNS2TCP

DNSCAT

License

About

Resources

Stars

Watchers

Forks

Releases 1

Packages 0

Languages

Packages