Awesome article! Interesting related work is in [1], where we used DNS TTLs as a covert channel for passing data, without needing to control the domain(s) being used. Through the development of that covert channel, we found a variety of idiosyncrasies such in the client-side DNS infrastructure and discussed them in [2]. Some devices will report an erroneously high TTL, some will unnecessarily shorten the TTL, some represent entire clusters of DNS resolvers with interesting properties, and so on. Based on your work, it appears that over the past five years, the number of open resolvers has dropped dramatically, from ~30M to ~3M.
Your email response really is indicative of some of the folks that get cranky when you send them packets :)
As for DNS, djbdns can store arbitrary bytes in RR (e.g., TXT), as octal. For example, modified dnstxt can print formatted text stored in TXT records, with linefeeds, etc.
Super fun article. I also like to see a "real" implementation of crazy ideas like this.
Can anyone confirm if the Microsoft DNS servers default to caching an unlimited amount of data? The article claims "Unlimited??" as the default for these systems. Eyeballing the pie chart looks like 20% of the servers are running Microsoft, which could provide quite a lot of storage.
Please don't. There's a perfectly lovely naturally emerged digital life form living in the spaces in between on the Internet, and this would threaten their habitat. Sure they haven't figured out we exist yet, and are certainly a long way from being able to communicate with us, but they seem kind to one another and I'd hate to see their evolution displaced.
Even unlimited is bound by memory/storage with probably an LRU eviction scheme. So unless your stored data is hot, or their storage is very large, it might not stay around long.
An enhancement of this technique could be used on one’s own private network of DNS resolvers for the specific purpose of acting like a highly available directory of private cloud nodes, storing the following information:
host:service:port:protocol
encoded in one DNS TXT record per service.
This would kind of be like a mashup of Apple Bonjour and this technique.
The big question is, how long to cache the information for in such a setup, assuming the cloud itself is highly unreliable, so as to make the entire thing extremely fault tolerant?
While an interesting use, abusing DNS in a similar way has beena long known (15 year) security vulnerability. For example, OzymanDNS. Even then, that was just one of the first published exploits. People had been performing DNS tunneling for some time.
There are detectors of DNS abuse that I imagine the people who actually would store files in DNS would not want pointed at their files.
Yes! Reading the description of DNSFS, i was sure Dan Kaminsky had done something like this years ago, but couldn't track it down - Dan Kaminsky has done a lot of things with DNS.
Just a tiny correction: RIPE Atlas' reliability tags (e.g., "-stable-Xd") have nothing to do with the probe "changing the public IP address once a day". Those filter simply measure the probe's uptime over different time windows.
In fact, the "-stable-1d" tag you mentioned would be true even for probes that have been down "up to 2h" over the last day.
You can use the dig utility to see if a DNS server is recursive. Just do the scan in two steps. One major port scan using masscan, netscan, etc., then a smaller scan of the IPs with port 53 open to see if they are recursive or not. You'll see this in dig's output if the server is not recursive:
[+] [-] tomcallahan|8 years ago|reply
Your email response really is indicative of some of the folks that get cranky when you send them packets :)
[1]: http://research.tom.callahan.us/pubs/icsi-tr-12-002.pdf
[2]: http://research.tom.callahan.us/pubs/imc029-schompAemb.pdf
[+] [-] moduspwnens14|8 years ago|reply
I love posts like this where someone applies a theoretical concept in a fun and interesting (even if not practical) way.
[+] [-] aplorbust|8 years ago|reply
http://lcamtuf.coredump.cx/juggling_with_packets.txt
Guessing date as circa 2003. Could be wrong.
As for DNS, djbdns can store arbitrary bytes in RR (e.g., TXT), as octal. For example, modified dnstxt can print formatted text stored in TXT records, with linefeeds, etc.
[+] [-] woodrowbarlow|8 years ago|reply
πfs (a file system) https://github.com/philipl/pifs
0byte (a programming language) https://github.com/MarkDunne/0byte
[+] [-] shredwheat|8 years ago|reply
Can anyone confirm if the Microsoft DNS servers default to caching an unlimited amount of data? The article claims "Unlimited??" as the default for these systems. Eyeballing the pie chart looks like 20% of the servers are running Microsoft, which could provide quite a lot of storage.
[+] [-] otakucode|8 years ago|reply
[+] [-] voidlogic|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] Annatar|8 years ago|reply
An enhancement of this technique could be used on one’s own private network of DNS resolvers for the specific purpose of acting like a highly available directory of private cloud nodes, storing the following information:
encoded in one DNS TXT record per service.This would kind of be like a mashup of Apple Bonjour and this technique.
The big question is, how long to cache the information for in such a setup, assuming the cloud itself is highly unreliable, so as to make the entire thing extremely fault tolerant?
[+] [-] bennofs|8 years ago|reply
1: https://en.wikipedia.org/wiki/SRV_record
[+] [-] ape4|8 years ago|reply
[+] [-] IncRnd|8 years ago|reply
There are detectors of DNS abuse that I imagine the people who actually would store files in DNS would not want pointed at their files.
[+] [-] twic|8 years ago|reply
[+] [-] jradd|8 years ago|reply
Seem's like this would be a good way to circumvent web filters that block remote file services (though allow DNS over tcp or udp).
How would one restrict this capability from an administrative perspective?
[+] [-] vthriller|8 years ago|reply
[+] [-] cmonfeat|8 years ago|reply
Reason being, if users on my network are using a resolvers other than my own, they can resolve all sorts of domains I would have otherwise blackholed.
[+] [-] mino|8 years ago|reply
Just a tiny correction: RIPE Atlas' reliability tags (e.g., "-stable-Xd") have nothing to do with the probe "changing the public IP address once a day". Those filter simply measure the probe's uptime over different time windows.
In fact, the "-stable-1d" tag you mentioned would be true even for probes that have been down "up to 2h" over the last day.
[+] [-] w8rbt|8 years ago|reply
[+] [-] mellamoyo|8 years ago|reply
[+] [-] ape4|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] krylon|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] mrb|8 years ago|reply
[+] [-] dh-g|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]