Firewall Wizards mailing list archives
DNS tunnel (was Re: Code Red: What security specialist don't men tion in warnings)
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Mon, 13 Aug 2001 21:44:15 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott, what you are saying is correct if you are thinking in terms of establishing DNS _connections_ to the outside. However, what Dan meant was that there are trojans that tunnel data in valid DNS queries. As long as your relaying DNS server has to resolve hosts from other DNS servers on the Internet, you can tunnel data. This occurs by the client asking for TXT records or as simple as the host name for 2344bf82883423.domain.tld (with data being encapsulated in the host portion of the query), and the (rogue) DNS replying with the return data in the TXT record, or simply by returning the host 98344bf82883423.domain.tld as a cname for 23478787323aaf9d.domain.tld. Both, the request and the answer are valid DNS queries that any of your internal DNS server would relay (since you need to resolve names somehow). For this setup to work, the attacker will have to have a pseudo DNS server running for a certain domain. This type of tunnel has been discussed several times, and as far as I remember, only one poster responded that some firewall (Gauntlet?) were able to filter this, although I'm not sure about this. I'm haven't seen this exploit being prevented. What it takes is a smart DNS _proxy_, not _relay_. But then again, how will the proxy distinguish between fake and real hostnames... :/ Anyone else have any updates? Regards, Frank
-----Original Message----- From: B. Scott Harroff [mailto:Scott.Harroff () att net] Sent: Monday, August 13, 2001 9:16 AM Regarding not being able to block malicious DNS, I disagree. Suppose: For Internet DNS (client) resolution: Configure your internal users to use a DNS server(s) in a DMZ setting. Configure your DNS server(s) as forwarder/slave(s) to the IP address(s) of your ISP's DNS servers (or your favorite trusted Internet DNS server). Permit only inbound DNS queries w/SYN set (and the stateful response) from your internal networks to your DMZ DNS server. Permit only outbound queries w/SYN set (and the stateful responce) from your DNS server to the trusted IP addresses of the outside DNS servers you selected. Permit only the necessary ICMP requests/responces from these servers. ----- Original Message ----- From: "daN." <dan () evilhippo com> To: "Joseph Steinberg" <Joseph () whale-com com>; "Bob Washburne"Sigh...Even an application proxy cannot stop a cleverlydesigned trojanfrom tunneling out..what if it uses valid DNS queries asthe tunnel? Youcan, block them and the relay them along, and then relayback an encodedDNS reply..there is absolutely no way of stopping this, andyou can dosimilar over any valid services, application proxies canonly take thingsso far..and there are many many many servers which crashupon receivingmessages completely legal by the protocol.
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBO3iQf5ytSsEygtEFEQLU+gCg3S3g2R+qm7PPYRKWDMDe9kQINfQAn3WG pQ3RSsQt7Lmzb6vcHUTG2oMy =1NyJ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DNS tunnel (was Re: Code Red: What security specialist don't men tion in warnings) Frank Knobbe (Aug 16)