DNS tunnel detection

I've been frustrated with large-scale traffic analysis tools for a long time. I recently did some DNS traffic analysis to study possibilities for detecting DNS tunnels.

I wrote up my traffic analysis thoughts in a study of dns. The result of that paper was thresholds of typical DNS hostname request lengths, at least for my traffic. Not satisfied with a static threshold, I built a visualization for the traffic using processing. The writeup of the visualization is available in part ii.

A picture is attached of dns hostname requests when ssh'ing over dns using dns2tcp. The code is available as well; you can visualize your own captures or live traffic off the wire.

enjoy.
tranq

Visualization of DNS tunnel traffic