

Wikipedia over DNS - xtacy
https://dgl.cx/wikipedia-dns

======
biot
I've often wondered if malware use this as a communications channel with C&C
servers. DNS queries are often passed unrestricted through firewalls and it
would be simple to have one or more domains setup where the query is the
information you want to pass and a custom DNS server receives the data and
replies to either confirm the receipt of data or answer requests for
instruction.

For example, you could encode harvested data (eg: keystrokes) as a DNS query
for h28sdhnz890j1hadsl.sj12h89shbapqp8n15kl258.example.com. The TXT record you
get back would be the server's response signed with the C&C server's private
key. This is so that you can use multiple domains and rotate them in case one
gets seized and the signed response prevents spoofing.

Such a system would be quite passive and likely to fly under the radar on most
systems.

~~~
Hoff
So-called covert channels can involve DNS, ICMP, packet transmission timing,
even processor responsiveness (think of communicating morse code using the
timings of a program that switches between a compute-loop and idle, as
observed from another program on the system), and any number of other
techniques.

Here's a very quick presentation on DNS channels and DNS tunnels from a few
years back:

<http://www.loria.fr/~lnussbau/files/tuns-sec09-slides.pdf>

A key question with controlling any of these sorts of channels is not
necessarily blocking them, but limiting the bandwidth of the channels.

~~~
david_shaw
_> <http://www.loria.fr/~lnussbau/files/tuns-sec09-slides.pdf> _

Interesting presentation, thanks for the link!

------
david_shaw
Sadly, although the talk was released in 2009, I still don't see his todo list
of "release the code" completed. I think I'm going to email the guy; it would
be interesting to look at his code.

~~~
dgl
This is the guy in question ;).

The code is pretty much a hack which I haven't got around to tidying up (but
mail me if you really want it).

It's really just glue anyway -- the interesting bits are done by:

* <http://search.cpan.org/perldoc?Parse::MediaWikiDump>

* <http://search.cpan.org/perldoc?Text::Summary::MediaWiki>

The script then saves the produced summaries in SQLite, then some code based
on Stanford::DNSserver (<http://www.stanford.edu/~riepel/lbnamed/Stanford-
DNSserver/>) does a lookup in SQLite, follows #redirects and returns a TXT
record.

These days I'd probably use PowerDNS's pipe backend to implement it rather
than a full DNS server in Perl (there's helper modules like ruby-pdns that
make writing a DNS server with specialised purposes incredibly easy).

------
dendory
The main issue with this is that DNS is already a fairly taxing protocol,
especially for large organizations that have big zone files to transfer.

~~~
dgl
While this might be true if you try to AXFR large zones I think most people
who have large zones have solutions to this, it's just like scaling anything
else.

For example there's IXFR which is helpful when doing dynamic updates.

Alternatively don't use DNS for transfers -- there's nothing forcing its use,
except for talking to clients -- SQL replication works (e.g. with PowerDNS),
or the approach most spam blocklists take and rsync zones around for serving
by a special server (rbldnsd); DNS just becomes a common query protocol
because every client supports it.

------
beaumartinez
Reading the title, I imagined it'd be about a further abstraction to the DNS:
a service where by you query an authority, eg: Wikipedia, a sequence of search
terms, eg: Hot Sauce Committee, and it gives you the most relevant URL, eg:
<http://www.beastieboys.com/>.

~~~
denysonique
Heh, that can easily be done, e.g. by modifying the Gist which I posted
earlier and connecting it to Google API ("I'm Feeling Lucky")

------
ojilles
How awesome would it be if Dropbox had "tunneling over DNS" build in?
Basically the usability of Dropbox with the ability to get to it at airports,
etc. would be awesome.

