Enhancing DNS data exfiltration protection through SDN data plane programming

  • Jacob Steadman

Student thesis: Doctoral ThesisDoctor of Philosophy


Data exfiltration has been a lucrative goal for malicious actors for many years, leading to a cycle of detection and avoidance that has driven the evolution of data exfiltration attacks. According to a 2019 Radware report, protecting private data was the highest area of investment for cyber security. This should come as no surprise due to the impact that data breaches can have at a private and corporate level, with large-scale data breaches being reported annually [1]. The Domain Name System (DNS) protocol has been a popular choice for malicious communication channels for many years; the vulnerability was first publicly discussed in 1998. Now, many years on, this vulnerability remains and exploits against it have grown more sophisticated and varied. The essential nature of the DNS protocol for Internet communication makes handling the threat difficult. Additionally, the movement to encrypt DNS renews old vulnerabilities that could be handled with proper traffic monitoring. In this thesis, the advantages of software-defined networking (SDN) and data plane programming are identified and leveraged to detect DNS-based data exfiltration attacks, including DNS-over-HTTPS. A DNS traffic analysis tool has been created for the SDN controller utilising its logically centralised network position. The controller application performs per-domain DNS and per-flow DoH traffic analysis for hosts throughout the network. To aid this analysis DNS-based data exfiltration attacks have been separated into 3 sub-categories: data exfiltration, protocol tunnelling, and command and control. To reduce the strain on the SDN controller, coarse-grained packet filtering is applied in the data plane to provide a rapid association for DNS packets into benign, malicious, and suspicious labels. This labelling informs the data plane on how to treat the traffic, either forwarding, dropping, or mirroring packets, as appropriate. The SDN controller application then populates a domain blacklist held at either the internal DNS server, to allow for dynamic domain blacklisting of DNS traffic that keeps the DNS service available for the affected host, or in the data plane to block DoH traffic from an infected host. Additionally, a solution for extracting DNS-over-HTTPS from other HTTPS traffic in the data plane is presented. The data plane traffic categorisation greatly reduces the volume of DNS and HTTPS traffic sent to the monitoring application at the SDN controller.The evaluation demonstrates that the solution’s tiered approach provides the combined benefit of reducing data loss during an attack and limiting the strain on network resources through efficient data plane programming.

Date of AwardDec 2021
Original languageEnglish
Awarding Institution
  • Queen's University Belfast
SupervisorSandra Scott-Hayward (Supervisor) & Sakir Sezer (Supervisor)


  • SDN
  • network security
  • DNS
  • data exfiltration

Cite this