DNS tunneling has led to significant privacy breaches and financial losses. Different tool for DNS tunneling serves varied purposes: penetration testing, firewall bypassing, and communication with C2 servers. Therefore, achieving multi-classification for different DNS tunneling software is crucial. However, previous research faced three issues: ineffective use of PDNS data, overlooking the topological relationships of entities, and not leveraging DNS tunnels' structural features, causing inefficiencies in multi-classification tasks. Our method utilizes the graph's powerful representation ability for relationship to exploit DNS tunnel domain names' structural features from PDNS data and to address sample imbalance meanwhile. We constructed a PDNS dataset containing 691,769 domain names and a graph dataset named CSR-PTDNG, comprising 41,943 graphs. The latter represents the first graph dataset related to DNS tunneling research. Besides, we adopt three encoders for Client, Subdomain, and Record data (Rdata) nodes. Using GNNs for node embeddings updating and graph classification, we evaluate the models and the framework in binary and multi-class tasks. Ultimately, all GNN models achieved nearly 1 AUC and F1-score, demonstrating the effectiveness of our graph construction approach.
