DNS tunnels inside DoH
- Type: Course project
- Subject: Network Securiry
- Institution: SCE - Shamoon College of Engineering
The goal of the project is to detect (classify) DNS tunnels inside DoH connections with mixed traffic (benign DoH and DNS tunnels over DoH).
DNS Tunnel = encapsulating TCP connection into DNS queries (requests and responses)
Malicious traffic = a DNS tunnel, e.g., covert tunnels
DoH proxy, which translates classical unencrypted DNS traffic into encrypted DoH
As you can see configuration is deployed on laptop (Windows OS) with 3 virtual machines (two of them used for DNS tunneling and one as DoH Proxy).
Also we need an own domain with special resource records. We have main domain onetwogleb.tech
, subdomain as A record home.onetwogleb.tech
and NS record tunnel.onetwogleb.tech
which uses A record as DNS server.
DoH proxy is deployed on VM Zorin OS. We used doh-stub part of this proxy and forwarded all requests to dns-cloudflare.com
For perfoming DNS tunneling dns2tcp was installed on two VMs – Debian (server side) and elementaryOS (client side).
Different networks (Ethernet and Wi-Fi) and different actions were perfomed to generate traffic (mostly web-browsing).
PCAP files dated 19-23 May were collected using Apple device (iPhone).
And PCAP files dated since 24 May were collected using standard router with Ethernet cabel and Wi-Fi network.
For generating traffic were used normal actions of an internet user and also clicker programs which opened random web-sites via special resources.
This repo contains two folders with PCAP files (doh and ndoh) and PCAP file with tunnel example.
-
doh folder contains two folders (ethernet and wifi)
-
ndoh folder contains PCAP file with ndoh traffic and keylog file with TLS keys