Slashdot Mirror
IP Tunneling Through Nameservers
But did you know that you can build up a fullfeatured and even bidirectional IP tunnel through Nameservers? Yes, that's right: "IP-over-DNS".
Using some toll free numbers which normally only allow outgoing packets to some few chosen servers, you can now surf the internet - completely and doing everything you could do with your normal, fullfeatured internet account. Microsoft has some of those restricted, toll free numbers.
The reason is: Most of these Microsoft PPP dialins allow you to use a Nameserver. And DNS lookups are just another kind of communication between a server and a client - the client asking for information to the nameserver known to him, the server which has been asked forwards the information to another nameserver or directly to the nameserver responsible for the asked information, and the now contacted server answering through the same path back.
That still sounds very useless for tunneling, but think about encapsulating the IP packets into nameserver requests, and the answer contains the traffic of the other direction. The request would look something like a hostname lookup to "KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org" (you see, the traffic is being encoded to represent legal hostnames), the answer contains the payload in a TXT record. That way you can build a fully functional IP tunnel.
You just need a client and a fake nameserver - making up the two communication endpoints.
It was tricky - the DNS protocol seems a little bit chaotic and it only allows packets of 512 bytes - so you have to fragment. And it uses UDP and not TCP - so you have to implement some mechanisms to ensure that the fragments are reassembled correctly (you see, you basically need a protocol which reimplements some features of IP and TCP). Additionally, the client can "contact" the fake nameserver everytime it wants to send traffic out - but the server is only able to answer, never to send on it's own. So you need some polling, if you want it really bidirectional.
We called the protocol used to achieve all this the "NSTX Protocol", meaning "Nameserver Transfer Protocol". The uglyness of the DNS protocol (just look at the headers: no alignment and no padding!) and the fact that we tried to use it in a way it really never was designed for (after all, remember that DNS is more like a phonebook than a communication facility) didn't make the design and implementation of NSTX easier at all.
But finally, we've done it. And with a toll-free Microsoft PPP dialin number in Germany (which of course only allows the download of some patches etc.) it worked - surprisingly stable and not even slow.
Think about it - many companies have "closed" networks which also don't allow outbound connections, but they have a nameserver in the same network that can resolve any hostname out there. That way you could also use the tunnel to establish a bidirectional communication path between the secured network and the outside world, where it wouldn't have been possible.
For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of, just take a look at http://nstx.dereference.de where you can find the full source code. It implements a client and a fake nameserver for both tunnel endpoints of an "IP-over-DNS"-tunnel. Both use the Linux Ethertap device for giving you a tunnel network interface. The server is a fake nameserver fully compliant to the DNS specifications and the client issues the requests, also using intelligent timing mechanisms for polling queued traffic from the server.
Maybe security managers in companies should look if they have nameservers in places where they better shouldn't have.
And maybe you also like the idea of using the internet using a toll free Microsoft dialin number, completely at no charge."
The Email Bounce File System (EBFS)
It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.
Nice idea... but Microsoft doesn't bounce mail; if the email address doesn't exist, it just gets swallowed.
Simon
Coming soon - pyrogyra
Ummm you already can run napster over this. Just connect your windoze box (or vmware) to your linux box and have linux do some NAT routing over the virtual device.
Anyway why dont u just run napster on the machine that you were going to run your fake nameserver on and be done with it?
That one didn't work for me exactly. It needed a little something in the while loop. After I added '' it worked great... here's my rendition:
:)
dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d
Neat way of distributing, I must say.
A slashdot semi-hidden-sid tunnel! It could easily be anonymous, and it could be encrypted too -- pretty neat, huh? The only problem is that you could only send one message every 70 seconds. But if you had a class C if IP addresses available you might be able to post faster.
--
The shareholder is always right.
Well, it could be useful while travelling if you have a high-bandwidth computer at home. And anyway, who wouldn't give up 97% of their bandwidth just to use up Microsoft's resources?
--
The shareholder is always right.
You may have missed the Pigeon Tunnel as shown in RFC 2549.
Link Here.
See that "Preview" button?
"Knight Rider" LED mode on a DEC terminal keyboard - prolonged execution tended to lockup the workstation
IP over ICMP tunnel - done as a joke. You think IP over DNS is wicked...
TCP connection flash start hack - instantly steal the connection from any other machine on the same network.
NFS mass mounter - I actually locked up an AFS server with that one. (It's their own fault for using the AFS to NFS translator. Even Transarc runs when those words are spoken.)
SCSI-IP - Yes, that's actually doable.
dir-crusher - *grin* interesting utility to make huge directories. Eat someone's entire disk quota with a single empty directory. (That one almost killed an AFS server too.)
And my personal fav...
"NO CARRIER" ping - *evil grin* properly phrased ICMP echo packet with "+++ATH0" in it so the echo reply would hang up the user's modem. That doesn't work anymore -- modem speeds are too fast and most modems have a guard time. :-) And yes, those work at any speed and can lockup both user and ISP modems.)
(It's too bad I didn't know the SDL flash start codes for USR modems then
That's not a "tunnel" per se. It's a protocol: Clay Tablet by Carrier Pigeon. Too bad they are an endangered species -- too many lost tablets I guess. *grin*
If you've never wasted time on a technical project solely because you wanted to see if you could do it, then you probably aren't that good of a geek anyway. I think most geeks have done some ludicrously unproductive things solely as mental exercises or even just as jokes. Who cares? If you want them to be productive then start a company and hire them. Until then, no, you're not their manager.
----------------------------
... with the same law they used to get Morris (author of the internet worm) and the virus writers. (Sorry, I don't recall the name of it at the moment.)
Unauthorized use of somebody else's computer resources, at least in the United States, is a federal felony. It has nasty penalties.
DNS servers are provided to perform DNS lookups. Using them as an IP tunnel is obviously far beyond their authorized use. It should be trivial to convince a jury that the conditions of the law are met.
And the law was in place and tested in court long before the DCMA was a gleam in the software industry's eye.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Because we can" exercises are often valuable. Science is largely dependent on them. You never know what will turn out to be useful.
This could represent a serious security hole, given a little thought. It's worth knowing about simply for that.
I don't think that is nearly as true as it used to be. From what I can tell, not many people look to SlashDot any more for useful technical information (I know I don't). If there were more articles like this, the slide might be halted.
The original poster is probably talking about firewall administrators who have noticed more DNS traffic through their firewalls than normal - hence someone may be using this technique.
This does illustrate the need for trend-based traffic monitoring (a la Concord) and even security-driven bandwidth restrictions - e.g. only allow your DNS traffic to increase by 50% in one day, or some such heuristic. These wouldn't necessarily stop such a covert tunnel but they would make it easier to find one, and slower to use one, giving the security admins more time to trace what is happening.
That may explaine some recent things I have heard of. I know of at least 3 networks who have seen higher than normal loads on their DNS servers.
It may not be up to playing quake but for playing a MUD, or getting e-mail it would be great.
Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".
What the f[s]ck is pornographic about foreign language translations?!!??!
I believe the reasoning is that you could use the "Translate Web Page" option on BabelFish to translate a porno site's page. Then, since the URL of the page you load comes from babelfish.altavista.com and not blockedpornsite.com, it gets past the filter proxy. What you get back is a page with a bunch of porno pics and some translated text, without setting off the filter proxy.
So, I'm sure that's the suits' reasoning behind it. Of course, it's completely stupid, since there is a huge legitimate use for BabelFish (actually translating pages or text!). I don't agree with this decision at all, but I'm 99% sure it's why they chose to do so.
BTW, good luck trying to convince them to remove CyberPatrol or, even better, get CyberPatrol to deblacklist BabelFish. But just think of all the warm fuzzies you'll have knowing that your inability to translate foreign languages is Protecting The Children (TM).
--
--
The real Captain Derivative has a Slashdot ID.
It's ok to get around a little security in order to get more work done
One great example of this is in a paranoid school or company that firewalls outgoing traffic. They allow telnet, but not SSH. My home machine only accepts SSH. (for obvious reasons) A little tunneling, and presto, I can secure shell to my home computer.
Especially nifty is using http tunnel to establish a secure shell then using the secure shell to tunnel other protocols with encryption
-- 2 + 2 = 5, for very large values of 2
Couldn't you hack out a pseudo-driver to pull tcp emulation over the udp connection , i.e. encapsulating the pseudo-driver's tcp request and shooting it through the program sending the udp datagrams and providing some error control. Then just make sure that both sides have regular querying so it goes both way's? That way almost all programs out there could use it, albiet slow and you may have to play around with some timeout values but it should work. Maybe call it the fums0 pseudo device?
Oh. Thanks, hadn't thought of it like that.
Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.
The point of having Internet access shouldn't be what not to use. I don't use my work phone to call 900 numbers; I don't need to be told not to.
If an employee is wasting company time looking at porn, blocking his access isn't going to improve his performance. You have an individual problem -- a problem that his manager should have the balls and training to deal with.
When management gets weak, they start putting the thumbscrews to the employees.
"Praise in public, punish in private." Words to live by. Also "Don't punish the group." Break either of those rules and you're not a good manager.
OK, I'm done bitching but typing the above has given my brain time to react. So here's my idea: Babelfish should have a "http://babelfish.altavista.com/cyberpatrol" area (and ".../netnanny", etc.), which has that software's settings in it. Then companies could open their firewall to that subtree of BabelFish, so their employees could translate without masturbating.
Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
You have to turn political to get anything done.
--
I feel fantastic, and I'm still alive.
No. He's 'tunnelling' IP through DNS.
As the IP tunnel contains both tcp, udp, and whatever else they want, then there is no reason to add your own sequencing; you are using TCP within the tunnel; and tcp will deal with any packet loss occurring at a lower layer (DNS/UDP) within the tunnel.
What you end up with is ip(udp(dns(IP(TCP)))).
lower-case indicates public protocols. upper case indicates tunnel contents.
So dns is effectively acting as layer 2 as far as the encapsulated IP is concerned. So packet loss at DNS is not relevant, it would be seen as no different than packet loss due to ethernet or any other lower layer protocol.
So use another translator site, like translator.go.com instead!
--
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah
That's nothing. There is a certain modem manufacturer (I will not name) that used to allow total Internet access through their test line, no fancy DNS hack required. Of course they didn't advertise that fact. I was connected to it and tried typing in a regular URL into the browser, and whaddya know--it worked. The test line remained active for at least several months, and may still be active for all I know. It was never terribly difficult to connect to it, so it was presumeably not abused. I offer that as living proof that security through obscurity is at least marginally effective.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Hey, I completely agree; the same arguments apply in the home, too. (manager->parent; employee->child)
;)
...and when it comes to analyzing, identifying and parsing images, well, a 5-year-old does a better job of that, still.
There are a couple of other solutions, too. If you actually filter incoming *content*, then you can block what actually gets to the user; this could be done by having a proxy/firewall for the business, and only allowing web access to that. (unless you implement, say, a DNS/HTTP tunnel, or something equally ludicrous.
The problem with that is, content filtering doesn't work very well. Often, people can't correctly identify or distinguish offensive material from art or literature, or have differing opinions, ("Huckleberry Finn", for example; I say it is literature, and relatively accurate period historical fiction; other people obviously don't know enough about the period...) so you really can't expect a computerized regexp parser to be even *that* good.
Therefore, we've already shown that filtering by URL often doesn't work, and accurate content filtering is pretty much impossible with today's technology, so it's gonna be unfair, and it's not the answer.
However, I believe you can buy software like babelfish from SYSTRAN, so suggest that to your boss instead. Heck, it'd probably be quicker to do it locally, and more full-featured as well.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Actually, adding your own sequencing should not be necessary, as mentioned here. You do not need to guarantee delivery; tcp will take care of that.
All you need is a somewhat reliable packet delivery system.
Well, if someone sets up a DNS server somewhere with a static IP and runs this NSTX protocol on it, and gives out its IP, then anyone an access the internet through PPP dialups anywhere. No one said the server running the tunnelling protocol has to be YOUR server.
Spyky
- Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I
can" exercise?
- Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever),
nearly useless end product with an extremely limited audience that might use it.
- Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this?
Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
- Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel,
and absurd as "Enlightenment on a Palm III!"
Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities. But dammit, folks, sometimes you ought to ask yourselves "Should I spend my energies and time on this?" before too quickly (and I realize we're all guilty of this at times) diving into the Sea Of Details known as how.Andy
"For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of"
Please read any firewall-piercing-FAQ. I've personally seen a secure shell implemented over DNS queries in 1996 and it wasn't anything even then.
I joined two users too late.
Far from it, hun. Babelfish only translates the text. It does not translate the IMG tags other than to modify the source, so that the source still comes from the original site. Try to translate a porn site and "view image" on any of the graphics. Look at the URL for the graphic.
So while your pornographic novel might be translated to French for you, the actual image is blocked by your local Net Nanny.
I think the REAL reason Babelfish is blocked, is because it allows you to read all the foreign "dangerous opinions" that you're not supposed to know about. I mean... what would Americans do if they found out that Europeans have more vacation time than they do?
Who Wants To Date A Norwegian?
Take a look at this page. You'll see what has to be done to get a secure and free internet connection. Now imagine adding this DNS hack to the arsenel. Until the shortminded people monitoring you catch on, you don't have to worry about losing the open port you've been using and can spend more time covering your tracks and communicating your ideas to the free world (or downloading hot Arabian pr0n).
So it does have a use. And it is a nift hack.
Bleh!
Forget about free dial-up access, this has other wonderful uses, such as bypassing corporate firewalls.
If you're on an internal network, no matter how protected it may be by firewalls, routers, etc., as long as you can make DNS queries to public systems, you can tunnel out. Combine this with ssh and you've got yet another way for internal data to untraceable escape your network.
I can imagine lots of network managers getting a headache after reading this and rushing to review their firewall rules.
The next step would be to see how this might work through an intermediary DNS server in cases where you can only access an internal name server which is the only system allowed to query external nameservers. Might need a ttl of 0 though, don't know if that would be respected.
Where do you work? Just curious...
Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
Microsoft's an odd choice for that example. They're actually one of the more enlightened employers out there.
Microsoft only screws its customers, it treats employees quite well.
Pity the 3 main campuses are in the middle of nowhere.
--Shoeboy
mmm free internet access from microsoft... guess we don't need MSN anymore :)
i wonder when people will start distributing this hack by mass-mailing CDs to every home in the country.
Link one: http://www.kanga.nu/arch ives/MUD-Dev-L/1998Q4/msg00164.php
Link two: http://www.samurai.com/list s/bryans-list-1998/0398.html
I haven't tried it because I'm stuck on a windows box without a decent nslookup but it looks simple enough.
I don't think so. You can send the request to the PPP provider's DNS servers. It doesn't have a cached address for KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org, so it asks a root server who can resolve addresses for mydnstunnel.org. Then it passes the query on to that server (yours) and passes the response back to the client (you).
The fix is to strip out TXT fields in forwarded DNS replies, but that would probably break some other RFC.
--
--
E_NOSIG
There was this little item in Bugtraq that I stumbled across while trying to hit thier site (doing a Google search for "DNS tunnel")- seems someone previously did a demo of this exploit with the intents of putting in Phrack, deciding to put it up in Bugtraq instead.
Look here for the info in question.
Letsee now...
HTTP Tunnel.
Mail Tunnel.
Now, DNS Tunnel.
Wonder what wonders they'll come up with next.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
This isn't about the "freeness" of it ... it is an excellent illustration that "information is information", and that any one type of information can be disguised as another type of information.
http://hostname.tld:79/\ userid
Note the space preceeding the userid.
Totally wrong protocol to send to finger yet it worked. The HTTP protocol sends a "GET / userid HTTP/1.0" to the finger daemon. Luckily fingerd supports multiple userid lookups at the same time. Naturally 'GET' and '/' and 'HTTP/1.0'resolve to invalid users, but userid retrieves the .plan file!
Since HTTP ignores stuff preceding the <HTML> tag, my web page rendered correctly! From a system where such things were prohibited! Woo hoo! In your face Woods (the sysadmin back then)! Of course, few people cared back then as the web was a whacked far out academic project. Gopher was the big thing back then. Blargh.
This opens up a LOT of posibilities... Most companies do not log DNS queries, at all... NSTX along with SSH are almost a guarenteed way to hide traffic going in and out of a firewall in most companies...
;) yyesss!
Also, as far as i know, most firewalls that implement stateful inspection, do not support statefully inspecting DNS queries... (im going to have some fun with this little program
Cybie! aka Ralph Bonnell
I think I've seen this mentioned somewhere in Phrack while I was doing searches on something else. Nobody, however, has bothered to "officially" implement this sort of tunnel (but with Ethertaps and PPP tunneling, I'm surprised that someone hasn't...)
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I've posted it once before on slashdot, but what the hell.
The Email Bounce File System (EBFS)
It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.
Somebody once mentioned to me that this wouldn't work on some systems, that mail gets cached somewheree on the way, but the point is, it's not on my hardware, so why should I care?
Right?
Right?
Believe with me, my saplings.
If I really wanted to, I could just stop allowing dns queries for external hosts. Then internal users can only query for internal hosts, e.g. xxx.mydomain.com
It won't break anything. Things will still work - http, ftp, smtp. Because they are all via proxies. The proxies do the work.
Right now I just allow it for convenience.
The viable way to tunnel through this is via http or ftp, however if username-password authentication is required (like it is here), such abuse is unlikely.
In fact with the username-password system, you don't really need to bother filtering out sites, you just warn the relevant users if they're going too far - e.g. if warez/mp3 sites keep popping up in the logs and the pipe is congested, and the bosses start to notice and ask questions...
Cheerio,
Link.
So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.
I guess this is cool just for the sheer niftiness of running data through DNS; I'm sure this will soon be implemented as yet another steganographic protocol, but this isn't too useful, even for ripping off Microsoft.
When I moderate, I only use "-1, Overrated". That way, I never get meta-moderated!
But it would be useful if you had one of these set up, since then you could use it for your own "free internet access" in other cities if you travelled a lot.
Also, there is another useful application of this: If you set up the target location of one of these in another country, one that doesn't cooperate with foreign authorities in tracking people down, you could have a way to communicate with the rest of the world in an (almost) untracable way.
For example, Mr. A and Mr. B are planning a revolution in a totalitarian state. It's too dangerous for them to use standard internet access, since it can be traced right back to them.
Instead, they get one of these DNS tunnels set up in some country that has no ties (or, even better, animosity) with their current country.
Then Mr. A and Mr. B can call up toll free numbers in various countries and transfer email back and forth in untracable ways to organize the revolution.
I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?
Don't get me wrong, I am all for maximizing the available anonymity of the net, but we really need a hack that has the same effect, but which uses a standard server.
All in all, I'll buy the person who though of this a beer any time he or she is in town...
Dog is my co-pilot.
Sometimes the current legal climate, re DeCSS, the CueCat, et al, makes me wish all the good hackers knew how to stay underground instead of posting websites everywhere saying "700k 4t m3! 1 m4d3 4n 0p3n 50urc3 h4xxx0r!!!" It's the kind of thing that causes bad laws to be passed.
(before you flame, realize my tounge is planted halfway in cheek....)
I have a positive modifier on Troll. When I mod someone Troll their karma should go UP!
This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have. Your whole spiel about being legitimate is a good point, BUT, whats the point of being legitimate if the "legitimate" people are creating crap.
I for one applaud all sorts of cracking and abuse on the internet because it only leads to a better stronger entity. The more people go about messing with everyone elses equipment/software the more those people will improve on their goods. Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.
My piece is said.
- drink, fight, and fuck..thats all that really matters
Once, while visiting the mens room on the second floor of building 11, I noticed a spent packet of lubricating jelly left behind by a previous inhabitant of the stall.
I'm not sure if there was any translation going on, but it seems plausible.
--Shoeboy