dns tunnels a threat?

nextime at nexlab.it nextime at nexlab.it
Fri Sep 7 13:49:24 UTC 2007


> >It isn't so complicated, it seem more complicated to explain that to
> >have it.
> 
> Hi Franco,
> 
> I like the way you fix this problem, but I'm not an experienced DNS 
> user, specially with two DNS in a single host.

You don't really need to have the two dns on a single host.
In my actual config, you simply need to point the dns records of the
clients to your chilli ip address, where you have the "upd relayer"
daemon listen on udp 53.

The two dns where the packets are relayed are two different and remote
servers, and you can put the dns daemon both on different or on the same
server. In the second way, two dns on a single host, you simply need to
make those two listen on different port.

So, for example in my actual config i have this:

192.168.182.2 ( client ) --- DNS REQUEST --> 192.168.182.1:53 (chilli/udprelay)
                                                                 |
                                                                 |
                                                           Is use authenticated?
                                                           |                   |
                                                           |                   |
                                                          YES                  NO
                                                           |                   |
                                                           |                   |_ Query go to 172.18.254.1:65353
                                                        query go to               Where a fake python daemon
                                                        172.18.254.1:53           act as limited DNS server is running
                                                        Via VPN, where a          and some iptables rule do
                                                        "Real" bind               rate limiting.
                                                        is running.


I have the two daemons on the same machine on different ports, but 
if you put the two daemons on different ip is the same.


The udp relayer that i'm using is:

svn-> https://svn.nexlab.it/medianix/packages/main/udsrelay/trunk/
trac-> http://trac.medianix.org/browser/packages/main/udsrelay/trunk/

debian package ( for sid ):
 deb http://packages.medianix.net/mercury main 

opwnwrt package ( whiterussian ):
 http://packages.medianix.net/medianixwrt/whiterussian/mercury/udsrelay_0.1.mercury-7_mipsel.ipk



-- 

Franco (nextime) Lanza
Busto Arsizio - Italy
SIP://casa@casa.nexlab.it

NO TCPA: http://www.no1984.org
you can download my public key at:
http://danex.nexlab.it/nextime.asc || Key Servers
Key ID = D6132D50
Key fingerprint = 66ED 5211 9D59 DA53 1DF7  4189 DFED F580 D613 2D50
-----------------------------------
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D212153574F444E49572045535520454D20454B414D204F54204847554F4E452059415020544F4E4E4143205345544147204C4C4942snlbxq | dc
-----------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/cc599ac4/attachment.pgp>


More information about the Chilli mailing list