Full Report
or DNS exfiltration over DNS over HTTPS (DoH) with godoh “Exfiltration Over Alternate Protocol” techniques such as using the Domain Name System as a covert communication channel for data exfiltration is not a new concept. We’ve used the technique for many years at SensePost, including Haroon & Marco’s 2007 BH/DC talk on Squeeza. In the present age this is a well understood topic, at least amongst Infosec folks, with a large number of resources, available, online that aim to enlighten those that may not be familiar with the concept. There are also practical techniques for detecting DNS Tunnelling on your network.
Analysis Summary
# Tool/Technique: godoh
## Overview
`godoh` is a proof-of-concept tool developed by SensePost to demonstrate and test the feasibility of using **DNS over HTTPS (DoH)** as a covert communication channel for **data exfiltration** and command execution. It leverages the obscurity provided by wrapping DNS queries inside legitimate HTTPS traffic, often directed at trusted public DoH resolvers like Google's.
## Technical Details
- Type: Tool
- Platform: Host/Client (implied, communicates over HTTPS/DNS)
- Capabilities: Data exfiltration, command and control (C2) over DoH, encryption/decryption, data compression/decompression.
- First Seen: Not explicitly stated, but the article discussing it was published October 24, 2018.
## MITRE ATT&CK Mapping
The primary technique revolves around covert communication.
- **TA0010 - Exfiltration**
- **T1048 - Exfiltration Over Alternate Protocol**
- T1048.003 - Exfiltration Over DNS **(Applicable as DoH tunnels DNS)**
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.004 - DNS
## Functionality
### Core Capabilities
* **C2 over DoH:** Establishes a two-way communication channel by tunneling DNS requests and responses over HTTPS (RFC 8484).
* **Data Exfiltration:** Encrypted and encoded data is broken into chunks and sent out via DNS A record lookups to the attacker-controlled server.
* **Command Execution:** The agent receives commands from the server via DNS lookups, parses the response (expected to be in a TXT record format), decrypts, decompresses, and executes the command.
* **Output Retrieval:** Execution output is processed (encoded, encrypted, translated) and sent back to the server via subsequent DNS lookups.
### Advanced Features
* **Protocol Layer Evasion:** By using DoH, the traffic appears as standard HTTPS, bypassing traditional DNS monitoring that focuses only on raw DNS protocol packets.
* **Domain Fronting Context:** Exploits the use of trusted domains (like `google.com`) as the front for C2 communication, similar to Domain Fronting, increasing evasion.
* **Data Handling:** Implements decryption, decompression, and encoding/translation steps to obfuscate data within DNS records.
* **Stream Management:** The server side tracks DNS requests using a control flag to manage multi-part command/data streams (start, continuation, end).
* **Response Handling:** The server interprets responses to determine if the data sent was simple command output (echoed) or file contents to be saved.
## Indicators of Compromise
* **File Hashes:** Not provided in the context excerpt (tool must be locally compiled or obtained).
* **File Names:** Not explicitly mentioned, as this is a tool/concept rather than a specific malware binary name.
* **Registry Keys:** Not applicable based on the excerpt.
* **Network Indicators:** Communication relies on sending DNS queries encapsulated in HTTPS requests to a DoH provider/attacker-controlled endpoint. (Specific domains are not listed, but would be the malicious actor's designated DoH endpoint).
* **Behavioral Indicators:**
* High volume of DNS requests encapsulated within HTTPS traffic directed to known DoH providers or a specific C2 domain.
* Use of DNS records, particularly TXT records for retrieving commands, or A records for data egress.
## Associated Threat Actors
* The tool was created by SensePost researchers (Leon Jacobs, Haroon, Marco) as a proof of concept, not associated with an established threat group in this context. However, the concept of DNS exfiltration is widely used by various threat actors.
## Detection Methods
* **Signature-based detection:** Not directly applicable without specific hashes, but signatures could target the JSON API structure used over HTTPS if non-standard.
* **Behavioral detection:**
* Monitoring DNS queries originating from within HTTPS traffic streams (or vice versa).
* Analyzing the size and rate of DNS lookups.
* Detecting unusually long or specific label structures in hostnames being queried, indicative of encoded data.
* **YARA rules:** Not provided in the context excerpt.
## Mitigation Strategies
* **Prevention:** Blocking outbound recursive DNS lookups entirely (though this severely impacts usability).
* **Hardening:** Implementing strict controls on DNS resolution, focusing monitoring efforts on the few authorized caching forwarders.
* **Protocol Monitoring:** Deep packet inspection focused on analyzing the content of DNS transactions, even when wrapped in TLS/HTTPS (TLS inspection might be required to see the underlying DNS payload).
* **Tooling:** Utilizing techniques for detecting DNS tunnelling, such as analyzing request size and rate, which still apply structurally even when DoH is used.
## Related Tools/Techniques
* **Squeeza:** Mentioned as an older SensePost tool demonstrating DNS tunnelling (2007 BH/DC talk).
* **Traditional DNS Tunnelling:** The underlying concept of using DNS as a covert channel.
* **Domain Fronting:** A related evasion technique that `godoh` applies to the DoH channel.
* **HTTP/S C2:** Mentioned as a faster, though potentially less evasive, alternative protocol for command communication.