Slashdot Mirror
Dan Kaminsky Suggests Having Fun with DNS
boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)
I'd rather my dns just work.
but who doesn't have Knoppix in the DNS cache already anyway? Welcome to the 21st century buddy.
I'd rather read his slides in binary from IN A records than open powerpoint.
Now we have to Read The Fsckin' Power Point?
-- I have a private email server in my basement.
It's a pity most of the slashdot crowd won't understand any of its technical merits at all.
Mark this as flamebait if you will, but come back in a while and read the comments, I promise there will be hardly any discussion of the paper.
Dan is obviously a very smart guy, I like his ideas about using http tunnel (it's a great program), I'm going to have to give some of these ideas a work out!
Bob
Gee, maybe they could make the results of any unresolved queries forward users to a handy search page, instead of returning an appropriate 'not found' response!
"To lead the people, you must walk behind them"
Microsoft Powerpoint also does a great job of opening the PowerPoint slideshow.
Most people are lucky if DNS just works without major headaches.
I could swear BIND and its config file is considered, along with Sendmail, one of the most convoluted programs in Internetdom. It, again along with Sendmail, is historically also one of the most bug-ridden and exploited.
And now someone is suggesting futzing around with it?! Why not just change your domain to "rootmeplease.com" and get it over with?
-Charles
Learning HOW to think is more important than learning WHAT to think.
Enjoy
:)
Note: Was converted with *gasp*powerpoint so yes it is horrible
Your hair look like poop, Bob! - Wanker.
"Could another version of Paketto Keiretsu be in the works?"
.torrent up?
Silly poster, the article's link to Dan's website brings you to the new tools (in "prebuild three"). Can someone please get a
Those are some seriously amazing gadgets in there, but I have to say I've yet to actually, you know, use one in any particular way.... yet I'm excited there are more out! I somehow want to know I could store knoppix in DNS even if I'm not likely to actually do it.
closed minded is as closed minded does
Conclusion
;)
Stuff = Cool
More Stuff Soon
This guy is amazing! Where does he come up with this stuff!
Your hair look like poop, Bob! - Wanker.
The open source community's response so far has been SPF+, which is essentially a technique of encoding the rules in TCL, which is served over DNS and executed on the mailserver. For obvious reasons, SPF+ will probably define the future of spam control on the internet.
--
In other words kid, don't fuck with us old guys or we'll show you who knows shit!
Forget the current legal nightmare of this proposal - just roll with me...
This guy proposes putting content (eg Knoppix) into DNS.
Why is DNS particularly not well suited for this kind of distribution mechanism?
Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
Where's the bad part of this idea?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
PDF Conversion of powerpoint presentation
On my ISP's very fast webspace, but please post mirrors in case they decide to pull the plug.
DJ kRYPT's Free MP3s!
http://cr.yp.to/djbdns/guarantee.html
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
Examples of security holes:
* Buffer overflows allowing attackers to take over DNS caches, such as the NXT bug in BIND before 8.2.2-P4 (1999), or the TSIG bug in BIND before 8.2.3 (2001), or the SIG bug in BIND before 4.9.11/8.3.4 (2002).
* Buffer overflows allowing attackers to take over DNS servers, such as the IQUERY bug in BIND before 8.1.2-T3B (1998).
* Buffer overflows allowing attackers to take over DNS clients, such as the CNAME bug in BIND's libresolv before 4.9.9/8.2.6/8.3.3/9.2.2 (2002), or the getnetbyname bug in BIND's libresolv before 4.9.11 (2002).
* Buffer overflows allowing attackers to take over DNS utilities.
Examples of problems that do not qualify:
* Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
* The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
My judgment is final as to what constitutes a security hole in djbdns. Any disputes will be reported here.
DNS is just a pervasive and well-organized caching broadcast protocol, isn't it? Right now, all it's been used to transmit is mappings of ASCII strings to IP addresses, and ancillary data related to that. Why is using it to transmit anything else particularly innovative? We didn't see this much enthusiasm when someone figured out how to send Knoppix over HTTP or Usenet.
Discussed YEARS ago with the possibility to sticking the source of DeCSS into a DNS cache (Among other things). I would put the source in an HTML comment here, but alas, no comment tags.
I hate grammar Nazi's.
The PDF file (created using OpenOffice.org) is here (8.7 MB .torrent).
Once reading the article you would understand.
If you put the presentation in DNS it would not be a problem.
The DNS Servers are there for DNS, not files. They are not written or stress-tested as fileservers. DNS requests and responses are small chunks of data. It would be sorta bad if people sending 600 meg isos through the dns system, you know, kinda, broke DNS.
Dan's got some interesting ideas, I'll grant you. But considering how scanrand has toasted network equipment I've run it against in the past, I don't think I'm too keen on his take on this. The tunneling angle is interesting, but when he gets to content distribution - it starts to look like a DNS stress tester more than a useful application, and considering how akamai got hosed for a bit last week, I sure hope that not many people play around with Dan's ideas unless they have a clue as to what they're doing. Needing 35,000 servers to xfer 700MB's of data at a reasonable speed is NOT an interesting hack, but it sure sounds similar in some principles to a mass DDoS.
Ok, so let's do this:
We've got the Kaminsky protocol connected to the
DNS protocol
the DNS protocol's connected to the
UDP protocol
The UDP protocol's connected to the
IP protocol
Oh hear the word of the inefficient!
The second verse is left as an exercise for the reader. Please keep in mind that writing another verse is somewhat more productive than implementing the aforementioned Kaminsky protocol.
-Adam
... open office this distro go around, because I realised in all the previous distros I never used the thing, not once, and it's hundreds of megs, a simple bear to keep upgraded on a dialup, etc. I made a few test pages and looked at it before, ok it looks like an office suite to me, but as I am not going to school, nor working in an office, etc, I can get by with any text editor out there for my writing needs. If it needs to look purty I know just enough html to be dangerous......
SO, to get back to slashdot reality, for those of us who can't see the power point, what are a few of the highlights and new and shiny ideas, if you would please and thankyou, and then folks can discuss it instead of just cussing it with no idea what's going on. OK, basic stuff I got the cliff notes version down: DNS, domain name service, translates words into numbers so ye olde browser or whatnot can get from here to there on the intarweb. The numbers are assigned by various poobahs with political overtones anc controversy, but it apparantly works. Someone gets money for doing this,because they sayso, and there's a few dozen whopper boxes sitting in nuclear bomb proof bunkers someplace that are the motherlode of rip snortin rootin tootin routin ability and all they do is DNS action when they aren't putting the moves on the female robots hanging around the bunkers or playing poker.
And so on.
So... what's next?
INTERVENTION!!!!
/.ers! We have to save YouGotServed from the terrible fate he's heading for.
Come on
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
OK this is pretty OT as well but I'll have to agree to many people have no depth. But in reviewing a canidate it's generaly better to try and figure out how quickly they can get some depth. And knowing a little bit of everything and being able to go deaper quickly can make you a great CTO :) or consultant (IE not a temp staffer being called a consultant)
No sir I dont like it.
I don't get it. It sounds like another protocol inversion: ;-)
UDP over DNS. OTOH we have seen IT managers solemnly accepting
RPC over HTTP (SOAP) and TCP over HTTP (Web Services).
You know that whole thing, where you come back from a trip to Vegas only to see a metric ton (expletive removed) of work sitting in your inbox?
Hi. Ask questions, I'll reply and eventually integrate into the Doxpara home page.
--Dan
I honestly don't know either. But apparently DNS is hard, even when you're using W2K.
I've never figured out how one of our network people was able to ACCIDENTLY add an NS record for one of our web servers instead of an A record, and I've definitely never figured out how it is that they couldn't understand what the problem was or how to fix it. They use Win2K on the DNS servers.
If it'd been Bind, they wouldn't have made the mistake in the first place, because there is no way you would accidently type "NS" instead of "A". Not to mention the fact that they probably wouldn't have attempted to make the change, and would have waited until the person who knew what he was doing was back.
I'm assuming that the person in question randomly clicked stuff until he had somewhere he could put a server name in....
Advanced users are users too!
Lets watch how the initial implementation of SSH over DNS works:
...all at the same time, just for a simple encrypted session across the very wide Internet.
:-D
SSH connects to HTTPtunnel's TCP proxy, which converts TCP to HTTP (another TCP protocol, but record oriented with all sorts of limitations). These HTTP packets are then captured by a DNS translator, which sends the packets out over UDP. The UDP packets route across the net, themselves encapsulated in IP, MPLS, and Ethernet, potentially bouncing off a local DNS server. They arrive, are decapsulated more times than I can count, and are eventually given to an SSH server.
Now, the SSH client opens up a SOCKS daemon, and uses it to direct port forwards on the faraway SSH server. For those keeping score, to achieve this VPN, we've used:
SSH
TCP
HTTP
DNS
UDP
IP
MPLS
Ethernet
Bonus points if you realized you can bounce off all the DNS servers out there, meaning the outgoing packets in the SSH over DNS link are potentially spreadable in arbtirary directions like so many dandelion seeds...
--Dan
Yes, the ability to learn is important. But just as important is the ability to say "I don't know." If there are two candidates where I feel that either has the same learning capacity, but one is more honest about their skills, I'll pick the more honest one because I know where they stand. I have enough know-it-all-can-do-everything-bow-before-me types around me already who manage just to make more work for me later when they couldn't actually do what they said they could do. And firing people is at best unpleasant.
DNS is the essential infrastructure required for almost all Internet applications to function correctly... so let's fuck with it and create some cool hacks, and use it to implement stuff that's already been done much better using other protocols! I mean, what could possibly go wrong?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.
Black Ops 2004 @ LayerOne
Dan Kaminsky
Introduction
What's On The Plate for Today?
/* char descrip[256] = "You'll see"; */
What is DNS
"Useful" Traits of DNS
(Very Very Abridged)
Got time? Spend some of it coding or testing
"OpenOffice.org" is the name of the office suite. www.openoffice.org is the name of the website.
After taking a look at Paketto back when he wrote it up, and now taking a look at his work here, I think I've figured out his MO:
1. Surround self with RFC's for core internet protocols.
2. Ingest large quantities of something very hallucinogenic, yet not very legal.
3. Give the RFC's the Fruit Fucker 2000 "rode hard and put back wet" treatment.
4. Put together a group of proof-of-concept tools that make intelligent people who have worked in networking for years say "Shit, just when I thought I knew this stuff!" Oh, and profit.
Yes, my only tool is a hammer. And you're starting to look like a nail.
I was able to later on get to one of the mirrors. Appreciate the effort! I don't pretend to understand most of it, but I gathered a little. It seems... convulted and a lot of effort for little return, except in the *obscurity* of it. I can't see it being used for a whole lot despite variations on this:
*
o Rumors of various botnets / malware using DNS as a covert channel
--true stuff? Might explain some of the weirdness going on.
I really hope you're a wise ass :)
See Sig! See Sig Zig! Zig Sig Zig!!!!!
If you read the linked email and the replies to it, you will find that the linked post is a troll. For real information about SPF, visit spf.pobox.com.
mashed post instead of preview as I waw collecting my thoughts. By "weirdness" I had heard twice now, since two years ago, that banking systems in particular have been compromised and it's ongoing and they haven't been able to stop it. The technique was allegedly able to go through firewalls because it was *requested*. I didn't understand it then and I don't know but it sounds like this deal in the article sliding in under the name server.
First, we must keep in mind the motivation of the troll. The troll's mecca is getting people in a dicussion to waste their time by posting an insincere dumb statement/question that is sure to elicit heavy response. Let's break the message down: Right off the bat here are three things likely to set slashdotters off. #1, he's using a windows box. #2, he's using it for a military installation. #3, he's telling us about it. The first sentence alone is enough to condemn this post to trollhood. First off, this is not the language of someone who works in IT operations. Second, one wold hope that a server on a military installation is protected by more than a weak host-based firewall and some router ACL's. And again, these are not things that someone in a military IT group should be posting about. Here's the incriminating evidence. With a line like this, the only way this post could be more of a troll is if it guarded a bridge and demanded a toll of those who crossed it. Note the feigned cluelessness, wondering "why people have such problems with DNS". Dude, you can't work for a year in IT and not run into DNS problems somewhere along the line. Then there's the schmoozing: not even the most evangelical linux zealouts would use the word "superb" in this context. And note the final plea for dialogue: "Can anybody clue me in?" This is someone fishing for replies/controversy, and maybe even a little karma. Everyone who replies to this post (including myself, though I'm replying for my own enjoyment as well) has a great big fish hook in his/her mouth; we got caught, hook line and sinker.
Yes, my only tool is a hammer. And you're starting to look like a nail.
...and djbdns starts to look very non-standards-compliant.
Please help metamoderate.
a DNS-based network could provide a high-latency high-bandwidth madium. Just think about where you heard those two properties before: Freenet! A DNS based freenet might be very hard to stop indeed!
Support a Europe-related section on Slashdot!
Wow.
So you're telling me you think that post is genuine, and not someone trolling? OR are you subscribing to antigroupthink and posting against it without a second thought?
Yes, my only tool is a hammer. And you're starting to look like a nail.
This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it.
/* char descrip[256] = "You'll see"; */
.com says where to find addresses in .doxpara.com, and .doxpara.com says where to find addresses in foo.doxpara.com
;-)
----------------
Black Ops 2004 @ LayerOne
Dan Kaminsky
----------------
Introduction
Who am I?
Senior Security Consultant, Avaya Enterprise Security Practice
Author of "Paketto Keiretsu", a collection of advanced TCP/IP manipulation tools
Speaker at Black Hat Briefings
Black Ops of TCP/IP series
Gateway Cryptography w/ OpenSSH
Protocol Geek
----------------
What's On The Plate for Today?
----------------
What is DNS
DNS: Domain Name System
Mechanism for translating human-readable names into machine routable addresses
"Like 411 for the Internet"
As 411 usually but not always yields simple phone numbers, DNS usually but not always yields IP addresses
A: Given name, find IP
MX: Given name, find Mail
PTR: Given IP, find name
TXT: Given name, find "stuff"
----------------
"Useful" Traits of DNS
(Very Very Abridged)
Hierarchical
Recursive vs. Iterative Lookups
Iterative Lookup: Ask a server a question, it tells you where to go to find out the answer
Recursive Lookup: Ask a server, it goes out and finds out the answer for you, and tells you
It queries the hierarchy...which you may control
Caching
Responses contain a TTL - Time To Live - within which future requests don't require another message to be sent
----------------
Primary Research Areas for DNS
Exploitation
1999-2000 were filled with exploits against BIND, the most common DNS server
Not terribly vulnerable now
DNS Spoofing
Returning false addresses = hijack people's outgoing net connections
DNS Tunneling
----------------
DNS Tunneling [1]
How
Client -> Server
What's the information for BATCH-OF-ENCODED-DATA.doxpara.com?
Server -> Client
The information? Why, it's "HERES-THAT-DATA-YOU-WERE-LOOKING-FOR"
Why?
DNS is extremely permeable - it will route through architectures where often nothing else will
Captive portals for Wireless Internet
"More"
----------------
Starting Simple:
DNS Tunneling [0]
Who?
NSTX most popular
Creates a "virtual network device" that routes IP (actually, Ethernet frames) over DNS
Linux Only
Rumors of various botnets / malware using DNS as a covert channel
----------------
DNS Tunneling[2]:
Entering Userspace
Starting "Simple"
NSTX requ
Don't have any to hand, and I've already posted. Volunteers?
Got time? Spend some of it coding or testing
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
Bruce Schnier has written about the value of cracking contests. Executive summary: the don't prove much.
His essay was focused on cryptanalysis at the time but since then Bruce has seen the light - principles that apply to cryptography narrowly apply to security broadly.
In excerpt:The last possibility is the most interesting, especially in today's security theater.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)