dns tunnels a threat?
sophana
sophana at zizi.ath.cx
Thu Sep 6 21:31:55 UTC 2007
nextime at nexlab.it a écrit :
>> Hello,
>>
>> How many people consider dns tunneling a real concern? Just curious...
>>
>
> For me is a real issue as the italian laws say that anyone setup a free
> or pay hot-spot need to register personal data ( document ) and to trace
> the logs of connection/disconnection time for any user.
>
>
>> Never heard of it? see http://dnstunnel.de/
>>
>>
>
> This is one "public", but ther's many software that permit to setup a
> "personal" and more advanced tunnel.
>
>
>> It could be a simple matter of dropping DNS packets with TXT records before
>> authentication. No?
>>
>
> No, in theory ( and even in reality ) it is possible to make a dns
> tunnel even on other query type, like NS, MX, A, CNAME and so on.
>
> Dropping TXT request block *some* of the dnstunnel software, but not
> all, and for the "cracker" prospective is only a way to make the tunnel
> more slow, but not blocked.
>
> I use a different approach:
>
> All dns request are permitted only to a my dns server over ( so, i have
> only one dns server centralized for many hot-spots ).
>
> I've written a little udp relayer that get all udp request on a specific
> port ( of course 53 ) on the "user" side, ad redirect all the packets to
> two different ip/port, one by default, and the other one if the source
> ip of the request is in a list ( in a simple file text list ).
>
>
> The daemon refresh the "alternative ip" list by a SIGUSR1 signal.
>
> Now, on the conup and condown script of coova-chilli, i put some lines
> of shell script that get the list of already authenticated users by
> perform a chilli_query <socket> dhcp-list | grep pass | awk awk -F ' ' '{print $2}' > /tmp/listfile
> and then send a SIGUSR1 signal to my daemon refreshing the "internal" list.
>
> By default i send all packets to a "fake" dns server that manage *only* A, CNAME and AAAA records,
> and where i use iptables to setup a very restrictive policy about how many packets
> can comein ( i permit only 2 packets/second, not more that 100 packets in 5 minutes ).
>
> When a client is authenticated, all the dns request are redirected to a "real and normal" bind server, no more
> restricted.
>
> In this way i block *any* dns tunnel.
>
>
This looks complicated.
Using a bad QoS for dns (no more than 10 requests/response in 5 second)
+ dropping TXT records seem sufficient.
I don'see why you need an intermediate dns.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070906/f7726d51/attachment.htm>
More information about the Chilli
mailing list