Tunneling is the method of creating a communication channel between two endpoints, by encapsulating data into packets carried by other network protocols. It is often used for connecting IP networks which do not have a native routing path between each other (e.g. tunneling private IP traffic over VPNs.)
DNS tunneling is a method of carrying data into and out of networks, by encapsulating said data within DNS queries and responses. This is useful for a number of reasons:
- DNS is deployed on almost all networks globally.
- The DNS protocol is hierarchical and the client rarely will directly send a query to the server that can authoritatively answer it. Instead, a hierarchy of servers means that clients send to a server nearby, which forwards the query until it gets to the right place.
- This means that DNS can navigate perimeter defenses, by sending packets to the internal DNS resolver, which inherently has permission to send DNS packets outbound to an upstream (usually ISP) resolver.
Some of the nuances of DNS, which have been catered for in Canary to console communication:
- DNS is carried over UDP, a stateless, connectionless protocol. Any packet loss could therefore interrupt the communication of Canary to its console. The Canary protocol provides for packet loss by forming a reliable TCP-like acknowledgment mechanism. DNS hostnames can only be 253 characters in length. Fragmentation is therefore required for longer messages.
- DNS hostnames (and TXT records) are constructed from a limited set of characters. For this reason, Canary encodes its data using Base32, which converts the Canary’s messages into strings that can be transmitted over DNS.
- DNS caching is prevalent on most resolver services, in both organizations and ISPs. The encryption methods used by Canary ensure that DNS queries and responses are always unique, meaning caching has no impact.
By utilizing all of the benefits of DNS, while containing the nuances, Canary effectively uses DNS as a reliable, stateful, encrypted communication mechanism.