Firewall Wizards mailing list archives
RE: IP over DNS.
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Thu, 14 Sep 2000 11:45:56 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Matt Cramer [mailto:mscramer () armstrong com] Sent: Tuesday, September 12, 2000 3:51 PM Set up DNS internally, point all your hosts at it. Allow only your internal DNS to get past your firewall. Problem solved.
Not quite. Here a posting what went originally to a different list... - ---8<--- Hmmm. I feel I have to jump in here (and probably get torched), but I think Eric is correct. We are missing the point. Specifically, the end point. This may not apply to the posted DNS tunnel, I don't know, I haven't analyzed it. But let's play something similar through in our minds... VPN's and other tunnels usually terminate at a defined endpoint. The tunnel establishes a connection to a certain host. However, with a DNS tunnel, there is no specific endpoint. You can use any DNS server anywhere from any network on any continent. Data would be requested by a station. Its assigned DNS server would query...say an upstream DNS. Eventually a DNS server (perhaps 2 down the chain) will fetch the response from the rogue DNS server and pass it along to the requesting, caching DNS server and eventually the client. So the tunnel is not port 53 but the content of DNS requests and responses. The only problem I see is the caching of data. This could be circumvented by using sequence numbers in the query such as a lookup of a TXT record for host 00000001.Base64codedData.toBeTransferredHere.<rougedomain.com>. This could return a dynamically generated TXT file with encapsulated data. However, since it may be cached, the next lookup needs to occur against 00000002.data.here.rougedomain.com, and so on. This type of tunnel would allow data to be passed without having to specify an end point for the tunnel. It will provide for a two way tunnel (unlike just downloading a file, i.e. DeCSS source code). Of course the upstream data channel is probably pretty slow since the data field is limited to the hostname size in the DNS query, and maybe the whole thing will make for a nice DoS (overloading caching DNS servers) along the way. But the point is that data could be transmitted in a two-way tunnel fashion without being inspected. I assume the only way to prevent this tunnel would be to configure DNS servers not to allow TXT records lookup. (Then someone will probably move to an MX record...) Afaik, there is no DNS proxy that actually examines the contents of DNS queries and replies... Any thoughts on this? Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOcEAxERKym0LjhFcEQLY8QCfaR/eOv9FyzVX/M3KDD8m4T6gnqsAn0lE HFX1ssl88JFVvC3NBrMMRjjX =tDQ8 -----END PGP SIGNATURE----- _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- IP over DNS. Darren Reed (Sep 12)
- Re: IP over DNS. Ryan Russell (Sep 13)
- Re: IP over DNS. Mikael Olsson (Sep 13)
- Re: IP over DNS. Matt Cramer (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 16)
- <Possible follow-ups>
- Re: IP over DNS. Alex Goldney (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 13)
- RE: IP over DNS. Frank Knobbe (Sep 16)
- RE: IP over DNS. Bill_Royds (Sep 18)
- Re: IP over DNS. Darren Reed (Sep 19)