DNS tunnel (was Re: Code Red: What security specialist don't men tion in warnings)

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott,

what you are saying is correct if you are thinking in terms of
establishing DNS _connections_ to the outside. However, what Dan
meant was that there are trojans that tunnel data in valid DNS
queries. As long as your relaying DNS server has to resolve hosts
from other DNS servers on the Internet, you can tunnel data.

This occurs by the client asking for TXT records or as simple as the
host name for 2344bf82883423.domain.tld (with data being encapsulated
in the host portion of the query), and the (rogue) DNS replying with
the return data in the TXT record, or simply by returning the host
98344bf82883423.domain.tld as a cname for
23478787323aaf9d.domain.tld. Both, the request and the answer are
valid DNS queries that any of your internal DNS server would relay
(since you need to resolve names somehow). For this setup to work,
the attacker will have to have a pseudo DNS server running for a
certain domain.

This type of tunnel has been discussed several times, and as far as I
remember, only one poster responded that some firewall (Gauntlet?)
were able to filter this, although I'm not sure about this. I'm
haven't seen this exploit being prevented. What it takes is a smart
DNS _proxy_, not _relay_. But then again, how will the proxy
distinguish between fake and real hostnames... :/

Anyone else have any updates?

Regards,
Frank


> -----Original Message-----
> From: B. Scott Harroff [mailto:Scott.Harroff () att net]
> Sent: Monday, August 13, 2001 9:16 AM
>
> Regarding not being able to block malicious DNS, I disagree. 
> Suppose:  
>
> For Internet DNS (client) resolution:  Configure your 
> internal users to use
> a DNS server(s) in a DMZ setting.  Configure your DNS server(s) as
> forwarder/slave(s) to the IP address(s) of your ISP's DNS 
> servers (or your
> favorite trusted Internet DNS server).   Permit only inbound 
> DNS queries
> w/SYN set (and the stateful response) from your internal 
> networks to your
> DMZ DNS server.   Permit only outbound queries w/SYN set (and 
> the stateful
> responce) from your DNS server to the trusted IP addresses of 
> the outside
> DNS servers you selected.  Permit only the necessary ICMP 
> requests/responces
> from these servers.
>
> ----- Original Message -----
> From: "daN." <dan () evilhippo com>
> To: "Joseph Steinberg" <Joseph () whale-com com>; "Bob Washburne"
>
> > Sigh...Even an application proxy cannot stop a cleverly 
> designed trojan
> > from tunneling out..what if it uses valid DNS queries as 
> the tunnel? You
> > can, block them and the relay them along, and then relay 
> back an encoded
> > DNS reply..there is absolutely no way of stopping this, and 
> you can do
> > similar over any valid services, application proxies can 
> only take things
> > so far..and there are many many many servers which crash 
> upon receiving
> > messages completely legal by the protocol.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBO3iQf5ytSsEygtEFEQLU+gCg3S3g2R+qm7PPYRKWDMDe9kQINfQAn3WG
pQ3RSsQt7Lmzb6vcHUTG2oMy
=1NyJ
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards