Güdekli U. T. , Ciylan B.

International Journal of Computer Science and Mobile Computing, vol.8, no.1, pp.154-162, 2019 (Scopus)


DNS is a basic protocol that allows web applications such as browsers to work based on domain names. DNS’s purpose is not creating a command channel or a basic tunneling. But, in order to creating a basic tunneling, many helper applications have been developed. Because of not being designed for general data transmission, DNS is less noticeable than other protocols. The malicious people who perform the cyber-attack know that DNS is a well-structured and reliable protocol. These people are also aware that many organizations do not control DNS traffic for malicious activity. With DNS tunneling, cyber criminals can easily install rogue software on these vulnerable systems or add stolen information to DNS queries and create a confidential communication channel across most firewalls. Although the DNS tunnel has some legitimate uses, many tunneling examples are intended to damage it. There are many current tunneling set of tools on the internet, so DNS tunneling has become a fairly easy process that does not need a separate technical expertise. At the same time, DNS tunneling is often used in very complex and massive attacks, including those supported mostly by nation states or directly governed by the nation state. In this research paper, DNS tunnels are reviewed and dns packet size was tested for detection of dns tunneling. In the result we examined that if taking only dns packet size into account is enough to detect dns tunneling in a network or not and also calculated packet size mitigation accuracy for our future work. We prepared a data pool and test pool to calculate accuracy of test. And we shared accuracy of checking only packet size approach.