dns tunnels a threat?

[nextime at nexlab.it]

> For anyone interested, you can test the 'dnsparanoid' option now in SVN -
> right now, it just drops DNS with non- A, CNAME, SOA, or MX records (hmm,
> maybe also drop SOA and MX?).

SOA and MX shuld be dropped imho.
Maybe AAAA shuld be added for future improvements with ipv6.

Of course, this is a good starting point, but isn't enough to block all 
dns tunnels, we need also a sort of rate limit on unauth dns request.

One question:

is "dnsparanoid" filtering applied only to unauth users?

> So, it currently doesn't rewrite any DNS... 

i don't think we need to rewrite anything, just permit something and
drop the rest.

> would, I think, be pretty easy to also truncate responses to a single A
> record. I mean, if anyone is tunneling over DNS with just a 4 byte payload,
> that is one shitty connection (not to mention having to overcome
> retransmissions since the tunnel probably expected multiple A records to
> deliver payload) :)

Maybe this is too many restrictive, i think that a rate limiting for
something like 4 A/CNAME request, with maybe also not more than
100/minute or not more than 10 for the same second level domain every
minute shuld work.

Last but not least, as usual, thanks for your work David.


-- 

Franco (nextime) Lanza
Busto Arsizio - Italy
SIP://casa@casa.nexlab.it

NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7  4189 DFED F580 D613 2D50
-----------------------------------
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc
-----------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/110c0ac8/attachment.pgp>