
DNSFS – Store files in others' DNS resolver caches - benjojo12
https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-storage-dnsfs
======
tomcallahan
Awesome article! Interesting related work is in [1], where we used DNS TTLs as
a covert channel for passing data, without needing to control the domain(s)
being used. Through the development of that covert channel, we found a variety
of idiosyncrasies such in the client-side DNS infrastructure and discussed
them in [2]. Some devices will report an erroneously high TTL, some will
unnecessarily shorten the TTL, some represent entire clusters of DNS resolvers
with interesting properties, and so on. Based on your work, it appears that
over the past five years, the number of open resolvers has dropped
dramatically, from ~30M to ~3M.

Your email response really is indicative of some of the folks that get cranky
when you send them packets :)

[1]: [http://research.tom.callahan.us/pubs/icsi-
tr-12-002.pdf](http://research.tom.callahan.us/pubs/icsi-tr-12-002.pdf)

[2]:
[http://research.tom.callahan.us/pubs/imc029-schompAemb.pdf](http://research.tom.callahan.us/pubs/imc029-schompAemb.pdf)

------
moduspwnens14
I wish I had a more insightful comment, but I'll just say this:

I love posts like this where someone applies a theoretical concept in a fun
and interesting (even if not practical) way.

------
aplorbust
Reminds me of this, one of my all-time favorites:

[http://lcamtuf.coredump.cx/juggling_with_packets.txt](http://lcamtuf.coredump.cx/juggling_with_packets.txt)

Guessing date as circa 2003. Could be wrong.

As for DNS, djbdns can store arbitrary bytes in RR (e.g., TXT), as octal. For
example, modified dnstxt can print formatted text stored in TXT records, with
linefeeds, etc.

~~~
woodrowbarlow
a couple other silly projects that attempt to store data without using disk
space (some cheating required):

πfs (a file system)
[https://github.com/philipl/pifs](https://github.com/philipl/pifs)

0byte (a programming language)
[https://github.com/MarkDunne/0byte](https://github.com/MarkDunne/0byte)

------
shredwheat
Super fun article. I also like to see a "real" implementation of crazy ideas
like this.

Can anyone confirm if the Microsoft DNS servers default to caching an
unlimited amount of data? The article claims "Unlimited??" as the default for
these systems. Eyeballing the pie chart looks like 20% of the servers are
running Microsoft, which could provide quite a lot of storage.

~~~
voidlogic
Even unlimited is bound by memory/storage with probably an LRU eviction
scheme. So unless your stored data is hot, or their storage is very large, it
might not stay around long.

~~~
AdamJacobMuller
need a background worker that periodically reads all data to keep things in
cache (like a raid or SSD background check).

------
Annatar
Ingenious!

An enhancement of this technique could be used on one’s own private network of
DNS resolvers for the specific purpose of acting like a highly available
directory of private cloud nodes, storing the following information:

    
    
      host:service:port:protocol
    

encoded in one DNS TXT record per service.

This would kind of be like a mashup of Apple Bonjour and this technique.

The big question is, how long to cache the information for in such a setup,
assuming the cloud itself is highly unreliable, so as to make the entire thing
extremely fault tolerant?

~~~
bennofs
Wouldn't simply caching DNS SRV[1] records do that?

1:
[https://en.wikipedia.org/wiki/SRV_record](https://en.wikipedia.org/wiki/SRV_record)

~~~
Annatar
Maybe; I haven’t fully thought it all through yet.

------
ape4
Too bad he couldn't use FUSE. Would be nice to do `ls` and other commands with
this.

------
IncRnd
While an interesting use, abusing DNS in a similar way has beena long known
(15 year) security vulnerability. For example, OzymanDNS. Even then, that was
just one of the first published exploits. People had been performing DNS
tunneling for some time.

There are detectors of DNS abuse that I imagine the people who actually would
store files in DNS would not want pointed at their files.

~~~
twic
Yes! Reading the description of DNSFS, i was sure Dan Kaminsky had done
something like this years ago, but couldn't track it down - Dan Kaminsky has
done a _lot_ of things with DNS.

~~~
IncRnd
Indeed! :)

------
jradd
Wish I had more to add than: "This is so neat!"

Seem's like this would be a good way to circumvent web filters that block
remote file services (though allow DNS over tcp or udp).

How would one restrict this capability from an administrative perspective?

~~~
vthriller
People are already sneaking data through DNS in both directions. Here's a
quick example from a year ago that popped in my head first:
[http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_cod...](http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html)

~~~
jradd
This is very neat as well. Still trying to understand it.

I have tested various use cases for Iodine, which works great, unless you are
blocking all outbound dns traffic.

------
mino
Fun article, kudos!

Just a tiny correction: RIPE Atlas' reliability tags (e.g., "-stable-Xd") have
nothing to do with the probe "changing the public IP address once a day".
Those filter simply measure the probe's uptime over different time windows.

In fact, the "-stable-1d" tag you mentioned would be true even for probes that
have been down "up to 2h" over the last day.

------
w8rbt
You can use the dig utility to see if a DNS server is recursive. Just do the
scan in two steps. One major port scan using masscan, netscan, etc., then a
smaller scan of the IPs with port 53 open to see if they are recursive or not.
You'll see this in dig's output if the server is not recursive:

    
    
        ;; WARNING: recursion requested but not available

------
mellamoyo
I'm surprised at the marketshare dnsmasq has, I would've thought BIND and
dnsmasq numbers to be flipped.

~~~
krylon
dnsmasq is very popular with SOHO routers.

~~~
LeonM
And just about every mobile device (hotspot mode)

------
mrb
Ha! Combine this idea with my proof-of-concept CDN53 Chrome extension and it
would be serving websites directly from others' DNS resolvers =:)

------
dh-g
Great, article. I've noticed a trend with anything which requires masscan is
probably going to be fun/interesting.

