August 10th, 2004, 14:55
This post is coming to you LIVE from a computer with no default gateway. Thanks to OpenSSH, Cygwin, and the cool utils from Dan Kaminsky over at (with a little help from a Permeo SOCKSification tool), I'm surfing the web, writing email, and sending IMs entirely over DNS UDP. This is one of the coolest "hacks" around since it doesn't violate the DNS standard one bit. I can't wait to get this out of the lab and in production... no more paying for wireless, EVER! :2gunsfiri

August 10th, 2004, 15:03
hmmm. perhaps a little more info???

August 10th, 2004, 15:06

That's the presentation that effugas has been giving at Black Hat, DefCon, etc concerning some pretty neat hacks for DNS. His utilities allow you to tunnel all of your traffic inside of UDP DNS packets. On a system that only allows DNS (for instance, the captive-portals that pay-for-wifi providers use), you can tunnel out to your own system and from there use ssh dynamic port forwarding to go anywhere.

I'm going to try and do a write-up on how to get all the aspects of this working later on, but since I've spent most of the workday on this instead of real projects, I had better wait. =)

August 10th, 2004, 18:07
Pretty much everything you'd need to know is here (not mine):

Scroll down and find the update. If you have any more questions, PM/email me and I'll try and answer them.

August 10th, 2004, 22:15
You could have just set-up a fake DNS server and done this.

August 11th, 2004, 00:51
You could have just set-up a fake DNS server and done this.
Dan addressed this very comment when it was posted to Slashdot:

OK, let me repeat.

Throwing arbitrary data in DNS -- NOT a big deal.

Even doing network tunneling over DNS -- ALSO not that big a deal; NSTX has been doing this for a while. (That being said -- SSH over DNS adds strong cryptography and major cross platform compatibility that didn't exist before.)

DNS radio is new. By segmenting audio into small chunks, we actually get universal caching of the streaming signal -- a functionality we've never really had before. Generally, audio broadcast over the Internet falls apart after a few thousand users. Based on this ring-buffer-into-BIND architecture, combined with the utterly minimal bandwidth load of Speex, we should be able to host audio for a much greater number of listeners.

The entire suite of incoming attacks to firewalls are also new. DNS trusts the hierarchy to tell it the next hop to its target name; since I can acquire second level domains in the hierarchy for minimal cost, it's trivial for me to insert arbitrary destinations along the DNS route path. In technical terms, whenever a recursing resolver comes to my name server to resolve a name, rather than providing an answer, I can redirect that request to another, supposedly authoritative server. That server can be at any address -- even one I cannot IP route to -- but if the resolver communicating with me can route to that address (say my communication will reach that host. If there's an SSH over DNS daemon running on, I've now achieved incoming connectivity to the network of my choice, completely bypassing firewalls and a trojan's need to poll.

Recursion on dual hosted interfaces is not even necessary. There are large numbers of applications that, upon receiving untrusted traffic, execute DNS name lookups. Most commonly, they are reverse PTR lookups, but occasionally there are other types (MX from mail servers, most notably) that can be easily induced. When they are induced, the hierarchy is followed. When the hierarchy is followed, the attacks previously discussed start working. In practice, this means an IDS triggers the DNS server to start proxying traffic between an external attacker host and an internal trojaned machine. Nasty.

There's some other stuff -- check out the slides and the code -- but long story short, there's some new stuff out :-)

There is a lot of information and potential here. It's more than it may appear at first.

August 16th, 2004, 20:37
You could have just set-up a fake DNS server and done this.

Bear in mind that this is vastly different technique than just masquerading a server behind port 53. What's key with Kaminsky's technique is that the data is actually being served via DNS protocol.

Captive portals (i.e. T-Noble@Starsucks) won't just forward any random data over port 53 -- they want you to pay and authenticate first; they will, however, perform real recursive DNS queries which, thanks to Ozyman, are what manage to deliver our SSH sessions back home...

August 17th, 2004, 02:35
just reading over this stuff....this is so fuggin cool!!!!

thats all I can say at 2 in the damn...I am going to have to try thsi out.....helooooo college firewall :p

August 17th, 2004, 09:25
The other thing to bear in mind regarding using this often is that DNS was never designed to do this, so the speed isn't that great. You're limited to UDP packets, and a TXT record (Base64-encoded) can carry 220 bytes; a CNAME record (Base32-encoded) can carry only 110. You're probably not going to be watching too many full-screen, live-motion videos over this.

But then again, for getting email, SSH admin, light web surfing, and some instant messaging (particularly where you're not supposed to) this is a pretty wicked little tool. Plus the chicks dig it*

*not really