Dan Kaminsky Suggests Having Fun with DNS

boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)

Nasty Nasty HTML Version

[OverlordQ]

Enjoy

Note: Was converted with *gasp*powerpoint so yes it is horrible :)

Re:Crazy!

[Dwonis]

It's easy. Use djbdns for a little while. BIND stars to look very sendmail-esque after that.

SPF and SPF+ work over DNS

[ideut]

Dan isn't the first one to suggest novel new applications for the DNS. Many will also be familiar with SPF, the "spam permitted from" framework for defining permitted email senders. Microsoft have recently taken over the standard process and are proposing for the sender permission rules to be sent in XML format over DNS!

The open source community's response so far has been SPF+, which is essentially a technique of encoding the rules in TCL, which is served over DNS and executed on the mailserver. For obvious reasons, SPF+ will probably define the future of spam control on the internet.

PDF Link

[kryptkpr]

PDF Conversion of powerpoint presentation

On my ISP's very fast webspace, but please post mirrors in case they decide to pull the plug.

Re:Some of this stuff really makes alot of sense

[kryptkpr]

Where's the bad part of this idea?

1) I think the requirement for caching sets of 4 byte IP addresses and 4 GB movies are quite different. Just because a system is good at one, doesn't mean it will automatically be good at the other. When I RTFA, the author made it quite clear that there was a 512-byte packet size limit, of which only around 50% could be useful for actual data. By the author's own estimation, it would take 35,000 DNS servers to host a single 700mb Knoppix image.

2) DNS is already an overloaded system, and his idea uses recursion, so it would place even more load on top of it.

If you think this is going to replace BitTorrent, you're off your rocker.

anybody remember DNS MUDs?

[andrewagill]

You used to be able to play a text adventure game with DNS:

]$ nslookup - hastur.rlyeh.net
> set querytype=txt
> set domain=adventure
> 1

Alas, hastur has been down since around 1998, but you can still live the magic if you believe in yourself!

Re:Great Article

[magefile]

I'd suggest Open Office. If you're on a dialup, and don't want to install several hundred megs, then look at the google cache - it'll have an HTML-ized version.

Whee, Slashdotted

[Effugas]

You know that whole thing, where you come back from a trip to Vegas only to see a metric ton (expletive removed) of work sitting in your inbox?

Hi. Ask questions, I'll reply and eventually integrate into the Doxpara home page.

--Dan

Re:Great Article

Google Cache does ppt -> HTML; for this one, however, note that both text and background are white, so you need to select all to see the text.

I don't have PowerPoint here either... Or OO.o.

Re:Great Article

[rasz]

Dan is obviously a very smart guy

.. and copied DNS and other ideas from others.

Slides 1-10 of 44, and /.'s lameness filter sucks

[leonbrooks]

This paragraph is random crap to keep that fscking lame slash lameness filter happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.

This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.

Black Ops 2004 @ LayerOne

Dan Kaminsky

===page===break===

Introduction

• Who am I?
  • Senior Security Consultant, Avaya Enterprise Security Practice
  • Author of "Paketto Keiretsu", a collection of advanced TCP/IP manipulation tools
  • Speaker at Black Hat Briefings
  • Black Ops of TCP/IP series
  • Gateway Cryptography w/ OpenSSH
  • Protocol Geek

===page===break===

What's On The Plate for Today?
/* char descrip[256] = "You'll see"; */

===page===break===

What is DNS

• DNS: Domain Name System
  • Mechanism for translating human-readable names into machine routable addresses
• "Like 411 for the Internet"
  • As 411 usually but not always yields simple phone numbers, DNS usually but not always yields IP addresses
  • A: Given name, find IP
  • MX: Given name, find Mail
  • PTR: Given IP, find name
  • TXT: Given name, find "stuff"

===page===break===

"Useful" Traits of DNS
(Very Very Abridged)

• Hierarchical
  • .com says where to find addresses in .doxpara.com, and .doxpara.com says where to find addresses in foo.doxpara.com
• Recursive vs. Iterative Lookups
  • Iterative Lookup: Ask a server a question, it tells you where to go to find out the answer
  • Recursive Lookup: Ask a server, it goes out and finds out the answer for you, and tells you
  • It queries the hierarchy - which you may control

Re:Crazy!

[pyrrhonist]

And then hoping that you get it? The problem that there can be multiple spaces between the "IN" and "A"

And why exactly is this an issue?

grep -i 'in *a' file

Re:Great Article

[Glamdrlng]

I'd discuss the paper, but it's in a format I can't view.

Since you apparently lack the bare minimum of resourcefulness necessary to read the file, I'm sure it's our loss that you can't participate in the conversation.

Parent is a troll linking to a troll

[jensend]

If you read the linked email and the replies to it, you will find that the linked post is a troll. For real information about SPF, visit spf.pobox.com.

Re:Crazy!

[mkettler]

I'm not sure which article it was, but perhaps it was referencing this study.

In it someone did phase-space analysis of the PRNGs used in DNS, and combined it with a birthday paradox style attack. In it, an attack on BIND 8 was shown to be 100% likely to succeed, BIND 9 20% and DJBDNS was 30%.

However, if you read the rest of the article, it points out that DJBDNS also uses a strongly random source port for the query, making it significantly more resistant to the attack, as the attacker would have to guess both the query ID and the source port simultaneously. (The two put together have about 1 billion possible combinations. The ID alone only has 64k.)

Unless there's some other DNS poisoning attack I'm unaware of, I think I'd prefer DJBDNS, as it's more resistant than bind 8 or bind 9, despite it's slightly less random output than bind 9.

(Note: bind 9 can be configured to use non-fixed query ports, but you'd need an kernel level random source-port patch to get good security out of this.)

Re:djbdns violates multiple RFCs

The first linked page above states the following:

The simple truth of the matter is that the RD bit is a useless piece of frippery, a mistake in the design of the DNS protocol, and DNS softwares should simply ignore it, whatever it is set to

This is incorrect. More information