Detection of communication over DNSSEC covert channels

Unauthorized data removal and modification from information systems represents a major and formidable threat in modern computing. Security researchers are engaged in a constant and escalating battle with the writers of malware and other methods of network intrusion to detect and mitigate this threat. Advanced malware behaviors include encryption of communications between the server and infected client machines as well as various strategies for resilience and obfuscation of infrastructure. These techniques evolve to use any and all available mechanisms. As the Internet has grown, DNS has been expanded and has been given security updates. This study analyzed the potential uses of DNSSEC as a covert channel by malware writers and operators. The study found that changing information regarding the Start of Authority (SOA) and resigning the zone can create a covert channel. The study provided a proof of concept for this previously undocumented covert channel that uses DNSSEC.