dns tunnels a threat?

David Bird mem.corruption at gmail.com
Fri Sep 7 11:05:44 UTC 2007


For anyone interested, you can test the 'dnsparanoid' option now in SVN -
right now, it just drops DNS with non- A, CNAME, SOA, or MX records (hmm,
maybe also drop SOA and MX?).

I like the idea of embedding more DNS features in chilli, but think it could
be kept simpler than that. If you want to get really fancy with DNS, then
forcing the user of your own is probably best. Otherwise, there are some
simple measures do-able in chilli without too much cost on performance or
size...

Right now, DNS is "inspected" in chilli when using either uamdomain or
dnsparanoid (two new features). uamdomain checks to see if an "allowed
domain" IP should be added to the walled garden. dnsparanoid will drop
packets as mentioned above. So, it currently doesn't rewrite any DNS... It
would, I think, be pretty easy to also truncate responses to a single A
record. I mean, if anyone is tunneling over DNS with just a 4 byte payload,
that is one shitty connection (not to mention having to overcome
retransmissions since the tunnel probably expected multiple A records to
deliver payload) :)

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20070907/ad77e83a/attachment.htm>


More information about the Chilli mailing list