Hacker News new | past | comments | ask | show | jobs | submit login
Wikipedia over DNS (dgl.cx)
64 points by xtacy on April 9, 2011 | hide | past | favorite | 16 comments



I've often wondered if malware use this as a communications channel with C&C servers. DNS queries are often passed unrestricted through firewalls and it would be simple to have one or more domains setup where the query is the information you want to pass and a custom DNS server receives the data and replies to either confirm the receipt of data or answer requests for instruction.

For example, you could encode harvested data (eg: keystrokes) as a DNS query for h28sdhnz890j1hadsl.sj12h89shbapqp8n15kl258.example.com. The TXT record you get back would be the server's response signed with the C&C server's private key. This is so that you can use multiple domains and rotate them in case one gets seized and the signed response prevents spoofing.

Such a system would be quite passive and likely to fly under the radar on most systems.


So-called covert channels can involve DNS, ICMP, packet transmission timing, even processor responsiveness (think of communicating morse code using the timings of a program that switches between a compute-loop and idle, as observed from another program on the system), and any number of other techniques.

Here's a very quick presentation on DNS channels and DNS tunnels from a few years back:

http://www.loria.fr/~lnussbau/files/tuns-sec09-slides.pdf

A key question with controlling any of these sorts of channels is not necessarily blocking them, but limiting the bandwidth of the channels.


> http://www.loria.fr/~lnussbau/files/tuns-sec09-slides.pdf

Interesting presentation, thanks for the link!


Full IPv4 tunneled through DNS[1] and even ICMP[2] has been possible for ages, and I've personally used ICMP-TX on an airliner to avoid paying for Wi-Fi (not because I'm cheap, mind, but because their registration didn't work).

[1]: http://code.kryo.se/iodine/

[2]: http://thomer.com/icmptx/


For some reason those always crap out on me while OzymanDNS (the first major implementation in perl by dan kaminski) works pretty much every time, though it's quite different in operation.

To implement your own custom DNS server, use Net::DNS::Nameserver; # (and see ozymandns for implementation example)


Around last October when I was in need of internet access I played with dig and noticed that I can query any DNS servers with no restrictions. I thought that this was a great discovery, but as it turns out it seems that this has been discovered long time ago. Btw today I even wrote a tiny DNS server in Ruby which can be used for fetching short http pages. https://gist.github.com/912187

It doesn't support splitting, I just wrote it quickly as a proof of concept.

For real use there is the earlier mentioned by jedsmith Iodine.


Just like most great entrepreneurial ideas turn out to be already invented.


Stuff like this has been on security peoples radar for a long time, mostly for data exfiltration purposes. What you are suggesting is certainly not a new concept in any way shape or form.


Sadly, although the talk was released in 2009, I still don't see his todo list of "release the code" completed. I think I'm going to email the guy; it would be interesting to look at his code.


This is the guy in question ;).

The code is pretty much a hack which I haven't got around to tidying up (but mail me if you really want it).

It's really just glue anyway -- the interesting bits are done by:

* http://search.cpan.org/perldoc?Parse::MediaWikiDump

* http://search.cpan.org/perldoc?Text::Summary::MediaWiki

The script then saves the produced summaries in SQLite, then some code based on Stanford::DNSserver (http://www.stanford.edu/~riepel/lbnamed/Stanford-DNSserver/) does a lookup in SQLite, follows #redirects and returns a TXT record.

These days I'd probably use PowerDNS's pipe backend to implement it rather than a full DNS server in Perl (there's helper modules like ruby-pdns that make writing a DNS server with specialised purposes incredibly easy).


The main issue with this is that DNS is already a fairly taxing protocol, especially for large organizations that have big zone files to transfer.


While this might be true if you try to AXFR large zones I think most people who have large zones have solutions to this, it's just like scaling anything else.

For example there's IXFR which is helpful when doing dynamic updates.

Alternatively don't use DNS for transfers -- there's nothing forcing its use, except for talking to clients -- SQL replication works (e.g. with PowerDNS), or the approach most spam blocklists take and rsync zones around for serving by a special server (rbldnsd); DNS just becomes a common query protocol because every client supports it.


So, no chance of YouTube-over-DNS?


Reading the title, I imagined it'd be about a further abstraction to the DNS: a service where by you query an authority, eg: Wikipedia, a sequence of search terms, eg: Hot Sauce Committee, and it gives you the most relevant URL, eg: http://www.beastieboys.com/.


Heh, that can easily be done, e.g. by modifying the Gist which I posted earlier and connecting it to Google API ("I'm Feeling Lucky")


How awesome would it be if Dropbox had "tunneling over DNS" build in? Basically the usability of Dropbox with the ability to get to it at airports, etc. would be awesome.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: