Combating Malicious DNS Tunnel
This addresses security threats from DNS tunnels for network administrators, but it is incremental as it builds on existing whitelist/blacklist methods.
The paper tackles the problem of malicious DNS tunnels by proposing a defense scheme that uses a tunnel validator to block insecure domains and allow secure ones, resulting in a system that records suspicious queries for forensics and detection.
This paper proposes a defense scheme against malicious use of DNS tunnel. A tunnel validator is designed to provide trustworthy tunnel-aware defensive recursive service. In addition to the detection algorithm of malicious tunnel domains, the tunnel validation relies on registered tunnel domains as whitelist and identified malicious tunnel domains as blacklist. A benign tunnel user is thus motivated to register its tunnel domain before using it. Through the tunnel validation, the secure domains are allowed to the recursive service provided by the tunnel validator and the insecure domains are blocked. All inbound suspicious DNS queries are recorded and stored for forensics and future malicious tunnel detection by the tunnel validator.