RE: IP over DNS.

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Matt Cramer [mailto:mscramer () armstrong com]
> Sent: Tuesday, September 12, 2000 3:51 PM
>
> Set up DNS internally, point all your hosts at it.  Allow only your
> internal DNS to get past your firewall.  Problem solved.

Not quite. Here a posting what went originally to a different list...
- ---8<---

Hmmm. I feel I have to jump in here (and probably get torched), but I
think Eric is correct. We are missing the point.

Specifically, the end point. This may not apply to the posted DNS
tunnel, I don't know, I haven't analyzed it. But let's play something
similar through in our minds...

VPN's and other tunnels usually terminate at a defined endpoint. The
tunnel establishes a connection to a certain host. However, with a
DNS tunnel, there is no specific endpoint. You can use any DNS server
anywhere from any network on any continent. Data would be requested
by a station. Its assigned DNS server would query...say an upstream
DNS. Eventually a DNS server (perhaps 2 down the chain) will fetch
the response from the rogue DNS server and pass it along to the
requesting, caching DNS server and eventually the client. So the
tunnel is not port 53 but the content of DNS requests and responses.

The only problem I see is the caching of data. This could be
circumvented by using sequence numbers in the query such as a lookup
of a TXT record for host
00000001.Base64codedData.toBeTransferredHere.<rougedomain.com>. This
could return a dynamically generated TXT file with encapsulated
data. However, since it may be cached, the next lookup needs to occur
against 00000002.data.here.rougedomain.com, and so on.

This type of tunnel would allow data to be passed without having to
specify an end point for the tunnel. It will provide for a two way
tunnel (unlike just downloading a file, i.e. DeCSS source code). Of
course the upstream data channel is probably pretty slow since the
data field is limited to the hostname size in the DNS query, and
maybe
the whole thing will make for a nice DoS (overloading caching DNS
servers) along the way. 

But the point is that data could be transmitted in a two-way tunnel
fashion without being inspected. I assume the only way to prevent
this tunnel would be to configure DNS servers not to allow TXT
records lookup. (Then someone will probably move to an MX record...)

Afaik, there is no DNS proxy that actually examines the contents of
DNS queries and replies...

Any thoughts on this?

Frank



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOcEAxERKym0LjhFcEQLY8QCfaR/eOv9FyzVX/M3KDD8m4T6gnqsAn0lE
HFX1ssl88JFVvC3NBrMMRjjX
=tDQ8
-----END PGP SIGNATURE-----

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards