dns tunnels a threat?

Yannick Deltroo deltroo at gmail.com
Fri Sep 7 11:26:08 UTC 2007


> > 3 - coova IDNS resolves any other hostname to the uamhomepage IP (with
> > no-cache/ 1 second TTL).
>
> This won't work.
> TTL and cache are in the rfc of dns. But the majority of the browsers,
> expecially for Internet Explorer but also for many others, and many
> resolvers don't implement a cache system based on TTL.
>
> They simply have an internal cache.
>
> For example in IE/Windows there's an internal resolver cache with
> 3600 seconds ( yes, 1 hour) of timeout by default. You can change
> the timeout *only* by changing some key with regedit.
>
You're right. I did some quick research, it seems like the default DNS
caching for IE is 30 minutes:
http://support.microsoft.com/default.aspx?scid=KB;en-us;263558

A coova internal DNS server would then have to parse DNS responses
from upstream servers to extract the IP... and maybe remove (modify?)
all (some?) DNS fields that may be used for the payload.

Removing TXT fields as David initially proposed should break existing
DNS tunnels.
As fas I know it's only used by spam filers (SPF) and should not be a problem.

Have you experienced unwanted side effects when filtering DNS
responses in your set-up?



More information about the Chilli mailing list