on the concept of "tunneling", Avaya senior security consultant Dan
Kaminsky showed a packed audience at the DefCon hacker's conference in
Las Vegas how DNS's
ubiquity permits some interesting tricks.
DNS is similar to HTTP in that firewalls
generally ignore it, Kaminsky said. Protocols such as SOAP tunnel over
HTTP for precisely this reason, which has given rise to a whole
industry of HTTP-inspection firewalls and gateways.
"DNS is such
a permeable protocol, it's let through by almost everybody," Kaminsky
told ComputerWire. "It's been known for a long time you can use DNS to
get out of networks... one of the things the research shows is how you
can get back in."
Kaminsky did not demonstrate a way to
compromise computers. Rather, he demonstrated how DNS queries can be
used as a "covert control channel" into behind-the-firewall machines
that have already had Trojan programs installed on them.
there is malicious code already out there that uses DNS as a control
channel," Kaminsky said. His DefCon presentation referred to rumors of
botnets of compromised machines. Such botnets need a way for their
"owner" to control them.
These computers would listen for
instructions in DNS messages, which would be less noisy and noticeable
than other means. Botnets often to connect to Internet Relay Chat
channels to receive instructions.
What Kaminsky demonstrated was
a way to pass arbitrary data through firewalls, using the fact that
firewalls generally don't block or check DNS traffic, and that many DNS
servers on the internet are very trusting.
In this scenario, the
hacker sends a DNS query for a domain he controls to a DNS server
controlled by the target network. This server sends the request back
out into the internet, where it finds the hacker's DNS server, which
returns an address within the target network.
The target DNS
server will pass the DNS query, with its control payload, to the
Trojaned host on its own network. This technique requires the DNS
server to be configured in a certain way, Kaminsky said, but there are
other techniques that also work.
"I'm not suggesting that people start blocking DNS, but at least they could start monitoring it for strange stuff," he said.
the same address here in Las Vegas on Saturday, Kaminsky, who also goes
by the name "Effugas", received a big round of applause when he
demonstrated live how to stream audio using DNS messages.
hack involves a piece of custom-built server software that captures
streaming audio in real time, then breaks it into chunks and encodes
it, before storing it in the TXT (arbitrary text) field of a DNS record.
enough space in this TXT field for about 880 milliseconds of 2Kbps
audio, Kaminsky said. He demonstrated that this is sufficient to carry
a comprehensible voice stream when using the Speex audio compression
A BIND DNS server can be configured to quickly rotate
records, continually adding the next chunk of the audio. Some more
custom software at the client side does rapid DNS lookups and
reassembles the audio data from responses it receives.
Kaminsky said that he did not expect this technique to be useful, but it turns out to create efficiencies on the origin site's bandwidth
, due to how DNS records are normally cached at name servers around the Internet.
Kaminsky has made a collection of his DNS tools available for download at his website, doxpara.com.