DLAZE: Detecting DNS Tunnels Using Lightweight and Accurate Method for Zero-Day Exploits

Abstract

Domain Name System (DNS) protocol is highly targeted nowadays for creating tunnels and extracting information from the intended machines. The reason for such exploitation is that DNS is passed unchecked by most firewalls and Intrusion Detection Systems (IDSs) to maintain the network’s quality of service. Most detection methods utilize the signatures of tunneled queries and tools for DNS tunnel detection. However, the new or updated tool versions bypass these signature-based methods. Moreover, DNS generally comprises a significant portion of total network traffic with a skewed distribution of legitimate DNS traffic against DNS tunnels. Thus, checking each DNS packet against signatures is a bottleneck to the efficiency of the network. To resolve this problem, we propose DLAZE, which can efficiently detect known and unknown DNS tunnels in the network traffic without compromising the efficiency of the network. DLAZE consists of a three-layer system. The first layer utilizes our already proposed work OptiTuneD, which filters out nearly all legitimate DNS packets with linear time complexity and solves the problem of the skewed distribution of legitimate vs tunneled DNS. The remaining packets are passed to the second layer, which uses the Bidirectional Encoder Representations from Transformers (BERT) model to identify legitimate DNS packets that remained unidentified at the first layer with the quadratic time complexity. The third layer obtains only unknown or zero-day DNS packets that can be legitimate or tunnels, which are differentiated using the Probing method with constant time complexity. We tested DLAZE using three publicly available datasets. The experimental results show that the average recall, precision, and F1-score obtained on all three datasets are 98.74%, 97.46%, and 97.95%, respectively, with the average processing time for each DNS packet as 473.25 milliseconds.