Re: dns outbound

[chuck <fwwiz () yerkes com>]

Like tunneling ssh through the web proxy which opens up a big-ass
tunnel between your system and someone elses.

The answers out there seem to be 'protocol aware' proxies or filters.
Checkpoint claims that they look 'into' various protocols to make sure
it's http or dns.  Of course it *IS* http or dns, the issue is looking
into the stream more and figuring out that the payload is ICQ or
similiar.

Oh yeah, don't slow down the proxy while doing so.

Quoting Marcus J. Ranum (mjr () clark net):
> Ryan Russell wrote:
> > Another claimed that one of his uses was able to
> > surf the web without having to authenticate on the
> > way out, via the DNS rule.
>
> If you have access to an external system, someplace, you can
> use DNS packets to contain IP packets, or you can set up
> an application-level proxy that tunnels over DNS packets.
> Kind of a lot of work, but a technically knowledgeable person
> behind a firewall that he/she didn't like could do it easily
> enough. This is a basic problem with firewalls: so much
> stuff can be pushed back and forth through them that they're
> very easy to tunnel through. What scares me is the (obvious)
> implication of a "firewall-aware" tunnelling trojan horse/virus
> that opens outgoing connections via HTTP or other protocols
> that firewalls typically allow.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr