In association with heise online

19 March 2010, 09:36

Exploit code with DNS tunnel

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Hacker Ron Bowes has released various payloads that connect a shell's standard input and output with a suitable online counterpart through DNS. This allows attackers to bypass many firewalls and even attack systems that have no internet connection themselves.

For a DNS tunnel, the host computer only needs to be able to resolve external host names such as It can then handle its network traffic via sent DNS queries and responses. This concept was already demonstrated by Julien Oster and Florian Heinz via the Name Server Transfer protocol (NSTX), which tunnels entire IP connections via DNS.

DNS tunneling requires a suitable server software to run on the DNS server responsible for a domain such as The host then simply sends DNS lookup queries such as -

The host name contains the packet data in a suitably encoded format. The request is sent to the local DNS server which will eventually pass it to the responsible name server; in the example this could be The DNS server can then decode the hostname and respond. The server can add to its response using, for example, the TXT resource record field, which, together with the IP address, will be returned to the computer which made the request. While NSTX tunnels an entire PPP connection this way, DNScat, like netcat, only transports a raw data channel through the net.

Ron Bowes has combined this with a command line shell for Linux and Windows, packaging the shell code in such a way that it can conveniently be integrated into exploits. He has even created a metasploit payload. However, the code has not been tested for functionality by The H's associates at heise Security; if anyone can confirm that it is functional, they would welcome a message to

See also:



Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit