Exfiltrating using DNS, or VPN over DNS and the various other techniques are not new.
They do show how difficult it is to police data from leaving ones network.
I use it when I need an ssh or web connection in extremely hostile environments that only allow free DNS queries out, like some planes, buses, establishments, etc.
There are also links to other implementations here: http://en.cship.org/wiki/OzymanDNS
Don't get me wrong, it's nice to see a simple example like yours, but projects like http://code.kryo.se/iodine/ do essentially (from an abstract perspective) the same thing.
scp localfile user@tunnelhost:/some/place
Unless the recursive nameserver in use happens to implement this hack for improved security:
I love unbound.
# If you don't like non-valid characters in the hostname,
# then use hex encoding rather than base64
So far, I've not encountered a failure using b64 encoding. But that could be an issue. And as you say, other encodings could be used if that does prove to be a problem.
Cobalt Strike is a commercial tool, so it better include the bells and whistles. The OP does a good job of showing code that anyone can play with, right now.
Dan Kaminsky's BlackHat presentations on OzymanDNS are excellent as well.
With new versions of BIND 10 allowing Python scripting, PowerDNS with Lua scripting and Unbound with Python, I think we'll start seeing more corps controlling DNS queries (or attempting to do so) with whitelists/blackslists, but for the time being, things are mostly wide-open.
Wouldn't that mean 100's, 1000's or 10's of thousands of requests for nonsensical subdomains of the same domain name (and that domain name is probably a silly one if you got it recently for 10 bucks).
This is not anomalous DNS traffic? My imagination just does not stretch this far. If the title was just "Transfer a file via DNS", maybe I could play along.
I think nstx preceded iodine.
Here's another one no one has mentioned yet:
What I'd really like to see is an implementation of lcamtuf's old, pre-cloud/dropbox idea: daemon caches, specifically recursive DNS caches, as free, (temporary) distributed storage. Anyone can store data for free on 100's of 1000's of networked computers worldwide, otherwise known as recursive DNS caches. Currently we only store "domain names" on these servers, but as the OP shows, it's possible to encode more information into requests than just domain names.
Imagine if the encoded data was an image. With most recursive DNS servers, the data expires upon the TTL expiry. Snapchat via DNS.
It will also probably behave in "interesting" ways when run against a resolver that's on an anycast IP and doesn't synchronize.
"When/if the network security team figures this out and
blocks it, I'll demonstrate a few other ways in which data
can be exfiltrated."
He mentions blocking there, but given the technique, could forensics show that this has been used? For example, could some future whistleblower for a national security agency (ours or anyone else's for that matter) use this to exfiltrate files without risk of discovery after the fact?
Could an organization like wikileaks or the guardian use this as a technique for whistleblowers to leak files safely?
bottom line: amateurs get caught.