

File transfer via DNS - mariusz79
http://www.aldeid.com/wiki/File-transfer-via-DNS

======
bluedino
You can tunnel all your traffic over DNS -
[http://code.kryo.se/iodine/](http://code.kryo.se/iodine/)

Useful for hotspots that allow DNS but nothing else

~~~
rahimnathwani
This is awesome, but I've found it usable only for very low bandwidth
applications (like a remote terminal session). Web pages and emails are large
these days :(

If you're interested in IP-over-DNS, you may also be interested in IP-over-
Facebook:
[https://news.ycombinator.com/item?id=7256477](https://news.ycombinator.com/item?id=7256477)

------
ChuckMcM
This sort of abuse of protocols is pretty well used. A number of interesting
port knockers are written using ping (ICMP echo). One of the more interesting
to me was using the TTL value to pass hex nybbles. Implementation was up the
ttl until your ping got through, then send your 'value' as ttl + value to your
destination. It was limited mostly because you don't get that many hops
generally. It is also negatively effected by path randomization but if you're
willing to commit bits to forward error correction you can still get a message
through.

A lot of ping traffic through, shows up like most of these ideas in any shop
with regular network monitoring.

------
ryan-c
I made this a while ago, which turns the insanity up to about 13.

[https://github.com/ryancdotorg/dnsstore](https://github.com/ryancdotorg/dnsstore)

------
zapman449
Since most clients are supposed to work through a specified resolver rather
than run their own, the easy block is to deny port 53 to non approved resolver
hosts. Probably a good idea anyway in a secure environment, since it can
potentially avoid cache poisoning if DNSSEC is setup right.

~~~
icebraining
You can use the approved resolver. Just set up a DNS record delegating some
subdomain to the fake DNS server, and then any unsuspecting resolver will work
for you, sending the request upstream to the authoritative nameserver.

------
effdee
Good ol' ping can also be used to send data. Some implementations support the
-p flag which allows to send 16 bytes of user-defined data.

------
jaytaylor
This is a prime example of a covert communication channel [0].

[0]
[http://en.wikipedia.org/wiki/Covert_channel](http://en.wikipedia.org/wiki/Covert_channel)

------
ef47d35620c1
Python code that does the same. Keeps the order of the file chunks too:
[http://16s.us/docs/dns.txt](http://16s.us/docs/dns.txt)

------
joaomsa
Requests aren't guaranteed to be received in the same order to reassemble the
files.

~~~
sadfnjksdf
For the described technique, no. However, it would be easy enough for one
request to have a different length hostname than the rest which contained a
checksum, and if then try different combinations of the rest until it matched
the checksum, which it would only need to do if it were out of order. And if
that happened, you could increase the time between requests, to compensate.

~~~
jamiesonbecker
Or just add an incrementing prefix.

------
aashishkoirala
If you're sending a non-trivial amount of data this way, won't the large
number of consecutive fake DNS requests get noticed and draw attention?

~~~
emidln
Who says they have to be fake?

While a high number of requests for uncommon domains might trigger a lot of
suspicion, you can cart out smaller amounts of data over DNS in ways that are
really hard to detect. I've seen situations where data was being sent over DNS
requests where the attacker merely held the ability to view the outgoing DNS
traffic, but didn't really control (or want to risk modification) of traffic.

~~~
alexvay
Can you elaborate on this: where have you seen it? Was it a POC or in-the-
wild?

------
callesgg
Plug for my own project: [https://github.com/callesg/dns-
tunnler](https://github.com/callesg/dns-tunnler)

------
nemasu
Neat trick. But if you have to capture traffic on the server before sending
anything, doesn't it make it kinda useless?

~~~
bdunbar
Use case: Abe is able to shell into host A and host B. He wants to transfer a
file to B but he's being watched by [NSA, SMERSH, his boss].

Not airtight, but ... something like that?

~~~
pfg
I'd guess the use case would be someone trying to send files through a network
that's mostly locked down (think: corporate network using a transparent proxy
for HTTP, etc), but allows outgoing DNS traffic.

~~~
userbinator
Been there, done that. A lot of public WiFi hotspots will allow outgoing (and
incoming) DNS, by design.

It's unbearably slow (especially when you use SSL over it, which I'd consider
almost mandatory if you do this) for anything other than email and maybe
running a few shell commands, however. Applying additional
obfuscation/whitening to the data stream to make it harder to detect makes it
even slower.

------
nuII
What legit uses are there for this?

~~~
piqufoh
The same 'legit' uses as for any other form of communication.

