{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T03:46:18Z","timestamp":1760240778310,"version":"build-2065373602"},"reference-count":20,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2019,9,12]],"date-time":"2019-09-12T00:00:00Z","timestamp":1568246400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Covert channel communications are of vital importance for the ill-motivated purposes of cyber-crooks. Through these channels, they are capable of communicating in a stealthy way, unnoticed by the defenders and bypassing the security mechanisms of protected networks. The covert channels facilitate the hidden distribution of data to internal agents. For instance, a stealthy covert channel could be beneficial for the purposes of a botmaster that desires to send commands to their bot army, or for exfiltrating corporate and sensitive private data from an internal network of an organization. During the evolution of Internet, a plethora of network protocols has been exploited as covert channel. DNS protocol however has a prominent position in this exploitation race, as it is one of the few protocols that is rarely restricted by security policies or filtered by firewalls, and thus fulfills perfectly a covert channel\u2019s requirements. Therefore, there are more than a few cases where the DNS protocol and infrastructure are exploited in well-known security incidents. In this context, the work at hand puts forward by investigating the feasibility of exploiting the DNS Security Extensions (DNSSEC) as a covert channel. We demonstrate that is beneficial and quite straightforward to embed the arbitrary data of an aggressor\u2019s choice within the DNSKEY resource record, which normally provides the public key of a DNSSEC-enabled domain zone. Since DNSKEY contains the public key encoded in base64 format, it can be easily exploited for the dissemination of an encrypted or stego message, or even for the distribution of a malware\u2019s binary encoded in base64 string. To this end, we implement a proof of concept based on two prominent nameserver software, namely BIND and NDS, and we publish in the DNS hierarchy custom data of our choice concealed as the public key of the DNS zone under our jurisdiction in order to demonstrate the effectiveness of the proposed covert channel.<\/jats:p>","DOI":"10.3390\/info10090284","type":"journal-article","created":{"date-parts":[[2019,9,12]],"date-time":"2019-09-12T10:56:06Z","timestamp":1568285766000},"page":"284","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Another Step in the Ladder of DNS-Based Covert Channels: Hiding Ill-Disposed Information in DNSKEY RRs"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9193-8517","authenticated-orcid":false,"given":"Marios","family":"Anagnostopoulos","sequence":"first","affiliation":[{"name":"Department of Information Security and Communication Technology, Norwegian University of Science &amp; Technology, 2802 Gj\u00f8vik, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"John Andr\u00e9","family":"Seem","sequence":"additional","affiliation":[{"name":"Department of Information Security and Communication Technology, Norwegian University of Science &amp; Technology, 2802 Gj\u00f8vik, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,9,12]]},"reference":[{"key":"ref_1","unstructured":"Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. (2019, July 17). Available online: https:\/\/tools.ietf.org\/html\/rfc4033."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.cose.2018.09.006","article-title":"Detection of malicious and low throughput data exfiltration over the DNS protocol","volume":"80","author":"Nadler","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_3","unstructured":"Williamson, D. (2019, July 17). Available online: https:\/\/www.helpnetsecurity.com\/2017\/10\/02\/dns-exfiltration\/."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Kara, A.M., Binsalleeh, H., Mannan, M., Youssef, A., and Debbabi, M. (2014, January 10\u201314). Detection of malicious payload distribution channels in DNS. Proceedings of the 2014 IEEE International Conference on Communications (ICC), Sydney, Australia.","DOI":"10.1109\/ICC.2014.6883426"},{"key":"ref_5","unstructured":"Mullaney, C. (2019, July 17). Available online: https:\/\/www.symantec.com\/connect\/blogs\/morto-worm-sets-dns-record."},{"key":"ref_6","unstructured":"Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., and Sivaraman, V. (2019, January 8\u201312). Real-Time Detection of DNS Exfiltration and Tunneling from Enterprise Networks. Proceedings of the 2019 IFIP\/IEEE Symposium on Integrated Network and Service Management (IM), Washington, DC, USA."},{"key":"ref_7","unstructured":"Brumaghin, E., and Grady, C. (2019, July 17). Available online: https:\/\/blog.talosintelligence.com\/2017\/03\/dnsmessenger.html."},{"key":"ref_8","unstructured":"Kitterman, S. (2019, July 17). Available online: https:\/\/tools.ietf.org\/html\/rfc7208."},{"key":"ref_9","unstructured":"Mockapetris, P. (2019, July 17). Available online: https:\/\/www.ietf.org\/rfc\/rfc1035.txt."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1016\/j.cose.2013.10.001","article-title":"DNS Amplification Attack Revisited","volume":"39","author":"Anagnostopoulos","year":"2013","journal-title":"Comput. Secur."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ianelli, N., and Hackworth, A. (2005). Botnets as a Vehicle for Online Crime, CERT Coordination Center. White Paper.","DOI":"10.5769\/C2006003"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Anagnostopoulos, M., Kambourakis, G., Drakatos, P., Karavolos, M., Kotsilitis, S., and Yau, D. (2017, January 7\u201311). Botnet Command and Control Architectures Revisited: Tor Hidden Services and Fluxing. Proceedings of the Web Information Systems Engineering (WISE 2017), Puschino, Russia.","DOI":"10.1007\/978-3-319-68786-5_41"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"455","DOI":"10.1007\/s10207-015-0310-0","article-title":"New facets of mobile botnet: architecture and evaluation","volume":"15","author":"Anagnostopoulos","year":"2015","journal-title":"Int. J. Inf. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Nussbaum, L., Neyron, P., and Richard, O. (2009). On Robust Covert Channels Inside DNS. Proceedings of the 24th IFIP TC 11 International Information Security Conference (SEC 2009), Springer.","DOI":"10.1007\/978-3-642-01244-0_5"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M.V., and Pohlmann, N. (2011, January 6\u20137). On Botnets That Use DNS for Command and Control. Proceedings of the Seventh European Conference on Computer Network Defense (EC2ND), Gothenburg, Sweden.","DOI":"10.1109\/EC2ND.2011.16"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"143","DOI":"10.1109\/TDSC.2013.10","article-title":"DNS for Massive-Scale Command and Control","volume":"10","author":"Xu","year":"2013","journal-title":"IEEE Trans. Depend. Secur. Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1016\/S1353-4858(17)30037-5","article-title":"Fileless attacks: Compromising targets without malware","volume":"2017","year":"2017","journal-title":"Netw. Secur."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Yadav, S., Reddy, A.K.K., Reddy, A.N., and Ranjan, S. (2010, January 1\u20133). Detecting Algorithmically Generated Malicious Domain Names. Proceedings of the 10th ACM SIGCOMM IMC \u201910, Melbourne, Australia.","DOI":"10.1145\/1879141.1879148"},{"key":"ref_19","unstructured":"(2019, July 17). Internet Systems Consortium; BIND 9. Available online: https:\/\/www.isc.org\/bind\/."},{"key":"ref_20","unstructured":"(2019, July 17). NLnet Labs; Name Server Daemon (NSD). Available online: https:\/\/www.nlnetlabs.nl\/projects\/nsd\/about\/."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/10\/9\/284\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:19:32Z","timestamp":1760188772000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/10\/9\/284"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9,12]]},"references-count":20,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["info10090284"],"URL":"https:\/\/doi.org\/10.3390\/info10090284","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2019,9,12]]}}}