YODA: Covert Communication Channel over Public DNS Resolvers

Enterprises are increasingly migrating to public domain name system (DNS) resolvers for reliability, cost optimizations, and, most importantly, improved security and user privacy. The integrated threat intelligence feeds at these resolvers enable easy identification and blocking of malicious exploits that use DNS queries. However, we observe that the shared local caches at these public DNS resolvers enable covert communication channels from otherwise secure enterprises accessible to any remote adversary, thus cautioning the migration to public DNS resolvers. We present YODA, a covert communication channel via public DNS resolvers that can exfiltrate sensitive information from a victim enterprise to a remote adversary. Unlike prior works, YODA overloads DNS queries for popular domains to transfer the data without revealing any identity of the adversary. Consequently, YODA cannot be blocked by domain name filtering. We demonstrate our attack on public DNS resolvers such as Google, Cloudflare, Quad9, OpenDNS, and LibreDNS. Our evaluations show that the adversary can achieve a bandwidth of 480bps with desktop devices.