Slashdot Mirror
Dan Kaminsky Suggests Having Fun with DNS
boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)
No, I guess I shouldn't. That was kind of elitest of me and I apologise. It's just frustrating sometimes to see a really good article on slashdot, digging in to hopefully read some good comments about it, and finding people can only post "humourous" stuff or other equally lame stuff. If I don't understand an article, I don't post on it.
You're also right about the powerpoint, it would have obviously been much better for us if we'd been there to hear his presentation. It still gives us a good insight to his ideas though.
Bob
Forget the current legal nightmare of this proposal - just roll with me...
This guy proposes putting content (eg Knoppix) into DNS.
Why is DNS particularly not well suited for this kind of distribution mechanism?
Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
Where's the bad part of this idea?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
http://cr.yp.to/djbdns/guarantee.html
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
Examples of security holes:
* Buffer overflows allowing attackers to take over DNS caches, such as the NXT bug in BIND before 8.2.2-P4 (1999), or the TSIG bug in BIND before 8.2.3 (2001), or the SIG bug in BIND before 4.9.11/8.3.4 (2002).
* Buffer overflows allowing attackers to take over DNS servers, such as the IQUERY bug in BIND before 8.1.2-T3B (1998).
* Buffer overflows allowing attackers to take over DNS clients, such as the CNAME bug in BIND's libresolv before 4.9.9/8.2.6/8.3.3/9.2.2 (2002), or the getnetbyname bug in BIND's libresolv before 4.9.11 (2002).
* Buffer overflows allowing attackers to take over DNS utilities.
Examples of problems that do not qualify:
* Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
* The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
My judgment is final as to what constitutes a security hole in djbdns. Any disputes will be reported here.
DNS is just a pervasive and well-organized caching broadcast protocol, isn't it? Right now, all it's been used to transmit is mappings of ASCII strings to IP addresses, and ancillary data related to that. Why is using it to transmit anything else particularly innovative? We didn't see this much enthusiasm when someone figured out how to send Knoppix over HTTP or Usenet.
Discussed YEARS ago with the possibility to sticking the source of DeCSS into a DNS cache (Among other things). I would put the source in an HTML comment here, but alas, no comment tags.
I hate grammar Nazi's.
Dan's got some interesting ideas, I'll grant you. But considering how scanrand has toasted network equipment I've run it against in the past, I don't think I'm too keen on his take on this. The tunneling angle is interesting, but when he gets to content distribution - it starts to look like a DNS stress tester more than a useful application, and considering how akamai got hosed for a bit last week, I sure hope that not many people play around with Dan's ideas unless they have a clue as to what they're doing. Needing 35,000 servers to xfer 700MB's of data at a reasonable speed is NOT an interesting hack, but it sure sounds similar in some principles to a mass DDoS.
... open office this distro go around, because I realised in all the previous distros I never used the thing, not once, and it's hundreds of megs, a simple bear to keep upgraded on a dialup, etc. I made a few test pages and looked at it before, ok it looks like an office suite to me, but as I am not going to school, nor working in an office, etc, I can get by with any text editor out there for my writing needs. If it needs to look purty I know just enough html to be dangerous......
SO, to get back to slashdot reality, for those of us who can't see the power point, what are a few of the highlights and new and shiny ideas, if you would please and thankyou, and then folks can discuss it instead of just cussing it with no idea what's going on. OK, basic stuff I got the cliff notes version down: DNS, domain name service, translates words into numbers so ye olde browser or whatnot can get from here to there on the intarweb. The numbers are assigned by various poobahs with political overtones anc controversy, but it apparantly works. Someone gets money for doing this,because they sayso, and there's a few dozen whopper boxes sitting in nuclear bomb proof bunkers someplace that are the motherlode of rip snortin rootin tootin routin ability and all they do is DNS action when they aren't putting the moves on the female robots hanging around the bunkers or playing poker.
And so on.
So... what's next?
i have both a djbdns server (for a customer, 1200 domains or so) and a couple of bind ones (~400 domains).
how the fuck can you say djbdns is easier than bind? if i want an A record in bind it's "IN A" (see, easily understood). if you want the same in djbdns it's some cryptic characters that make no sense (and is, of course, undocumented, or was last time i needed it).
now the best part. there's MULTIPLE characters to do nearly the same thing. if i recall a + is a straight A record, and a @ (i think) is an A+PTR
give me bind anytime, it's MUCH easier. though i'm about to move to powerdns or something with a mysql or ldap backend so customers can edit their zones easily
His techniques allow someone to set up a cryptographically secure network that most likely completely ignores firewalls. It features high bandwidth-high latency connection, low bandwidth-low latency connections and is virtually untraceable, even to both parties involved in the connection. An initial hostname and time would act as the 'phonenumber'. (By keeping a certain request alive, one can even implement a dailing service with TTL delay.) A message service is freely included.
It is virtually impossible to shut these networks down without replacing/patching dns. Not an easy task.
The bandwidth available to this network most likely exceeds that of most irc-botnets. Especially since the root servers are defending themselves against DDoS attacks.
The tools he's still developing might be able to trace these things but it will still require cooperation of dns server administrators (to get their logs). You will never get them all and you'll have a LOT data to process. Accorfing to this the ICS root server continuosly handles almost 8Mbps (and can handle upto 80Mbps) of traffic. I seriously doubt they can log that... (if so, transferring the logs would continually consume a healthy percent of the servers bandwidth.)
Pretty smart man indeed and very idealistic or shortsighted. Both the right and the wrong sort of people would pay a lot of money for that...
I honestly don't know either. But apparently DNS is hard, even when you're using W2K.
I've never figured out how one of our network people was able to ACCIDENTLY add an NS record for one of our web servers instead of an A record, and I've definitely never figured out how it is that they couldn't understand what the problem was or how to fix it. They use Win2K on the DNS servers.
If it'd been Bind, they wouldn't have made the mistake in the first place, because there is no way you would accidently type "NS" instead of "A". Not to mention the fact that they probably wouldn't have attempted to make the change, and would have waited until the person who knew what he was doing was back.
I'm assuming that the person in question randomly clicked stuff until he had somewhere he could put a server name in....
Advanced users are users too!
Hmmm. We've been hearing about agent technology / mobile code for years, and not only has its functionality been a bit sketchy at best, but its security is a nightmare. Note -- you can't post Javascript on Slashdot or PHP within common forums, and there's a reason.
Putting TCL in DNS as a commonly used standard is a bit worrisome -- you'd have programmatic access to an execution context within any mail server. Not rejecting the idea outright -- but what are the functionality gains that justify such an outright expansion of remote access to untrusted parties?
--Dan
Well, there are two kinds of people in the world -- those who see SOCKS over SSH over TCP over HTTP over DNS over UDP as neat, and those who don't.
The DNS backchannel through a firewall, by abusing the heirarchy, is a real problem.
--Dan
Weird bionic encapsulations are 'neat' until you're the one trying to justify the bandwidth bill.
It's neat until you've gone into the next higher pricing bracket because someone decided to piggyback a bunch of other protocols on top of dns to your external name servers. Aside from breaking rfc, or causing a self-inflicted DOS, there isn't much you can do about it.
(On the other hand, this is a prime example why allowing recursive DNS requests externally is a bad idea.)
What I think is neat is stuff that's going to save me bandwidth, not increase freeloader traffic.
"DNS backchannel through the firewall" is addressed by sensible design and a good security policy.
Wrapping a server around an enforcement point like you described in your presentation is horrible design; any nutcase that implements that solution deserves problems.
~dlb