Tunnelling is the method of creating a communication channel between two endpoints, by encapsulating data into packets carried by other network protocols. It is often used for connecting IP networks that do not have a native routing path between each other (e.g., tunnelling private IP traffic over VPNs).
DNS tunnelling is a method of carrying data into and out of networks, by encapsulating said data within DNS queries and responses. This is useful for a number of reasons:
DNS is deployed on almost all networks globally.
The DNS protocol is hierarchical, and the client rarely sends a query directly to the server that can authoritatively answer it. Instead, a hierarchy of servers means queries are forwarded until they reach the correct destination.
This allows DNS to navigate perimeter defences, as packets sent to the internal DNS resolver inherently have permission to send DNS packets outbound to an upstream (usually ISP) resolver.
Some nuances of DNS that are accounted for in Canary-to-console communication:
DNS is carried over UDP, a stateless, connectionless protocol. Packet loss could interrupt communication. The Canary protocol provides a reliable TCP-like acknowledgement mechanism to handle this.
DNS hostnames are limited to 253 characters, so fragmentation is required for longer messages.
DNS hostnames and TXT records can only include a limited set of characters. Canary encodes data using Base32, converting messages into strings that can be transmitted over DNS.
DNS caching is prevalent in most resolvers. The encryption methods used by Canary ensure that DNS queries and responses are always unique, so caching has no impact.
By leveraging all the benefits of DNS, while addressing its nuances, Canary effectively uses DNS as a reliable, stateful, encrypted communication mechanism.