Firewall Wizards mailing list archives

Re: dns outbound

From: "Marcus J. Ranum" <mjr () clark net>
Date: Tue, 18 May 1999 08:14:50 -0400

Ryan Russell wrote:

Another claimed that one of his uses was able to
surf the web without having to authenticate on the
way out, via the DNS rule.


If you have access to an external system, someplace, you can
use DNS packets to contain IP packets, or you can set up
an application-level proxy that tunnels over DNS packets.
Kind of a lot of work, but a technically knowledgeable person
behind a firewall that he/she didn't like could do it easily
enough. This is a basic problem with firewalls: so much
stuff can be pushed back and forth through them that they're
very easy to tunnel through. What scares me is the (obvious)
implication of a "firewall-aware" tunnelling trojan horse/virus
that opens outgoing connections via HTTP or other protocols
that firewalls typically allow.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
  - RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
  - Re: dns outbound Marcus J. Ranum (May 18)
    - Re: dns outbound chuck (May 18)
    - Re: dns outbound Ge' Weijers (May 19)
    - Re: dns outbound Matt McClung (May 18)
    - Re: dns outbound Darren Reed (May 18)
    - Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Robert Graham (May 17)
  - Re: dns outbound Deepak Vaidya (May 17)
  - Re: dns outbound wyllys (May 18)
    - Re: dns outbound David Gillett (May 19)
    - Re: dns outbound wyllys (May 21)

(Thread continues...)