View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
August 2, 2004

Researcher says DNS can stream voice, control Trojans

A security researcher this weekend demonstrated how it is possible to use the Internet's domain name system protocols as a way to pass data through firewalls and to efficiently stream audio across the Internet.

By CBR Staff Writer

Building on the concept of tunneling, Avaya senior security consultant Dan Kaminsky showed a packed audience at the DefCon hacker’s conference in Las Vegas how DNS’s ubiquity permits some interesting tricks.

DNS is similar to HTTP in that firewalls generally ignore it, Kaminsky said. Protocols such as SOAP tunnel over HTTP for precisely this reason, which has given rise to a whole industry of HTTP-inspection firewalls and gateways.

DNS is such a permeable protocol, it’s let through by almost everybody, Kaminsky told ComputerWire. It’s been known for a long time you can use DNS to get out of networks… one of the things the research shows is how you can get back in.

Kaminsky did not demonstrate a way to compromise computers. Rather, he demonstrated how DNS queries can be used as a covert control channel into behind-the-firewall machines that have already had Trojan programs installed on them.

I know there is malicious code already out there that uses DNS as a control channel, Kaminsky said. His DefCon presentation referred to rumors of botnets of compromised machines. Such botnets need a way for their owner to control them.

These computers would listen for instructions in DNS messages, which would be less noisy and noticeable than other means. Botnets often to connect to Internet Relay Chat channels to receive instructions.

What Kaminsky demonstrated was a way to pass arbitrary data through firewalls, using the fact that firewalls generally don’t block or check DNS traffic, and that many DNS servers on the internet are very trusting.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

In this scenario, the hacker sends a DNS query for a domain he controls to a DNS server controlled by the target network. This server sends the request back out into the internet, where it finds the hacker’s DNS server, which returns an address within the target network.

The target DNS server will pass the DNS query, with its control payload, to the Trojaned host on its own network. This technique requires the DNS server to be configured in a certain way, Kaminsky said, but there are other techniques that also work.

I’m not suggesting that people start blocking DNS, but at least they could start monitoring it for strange stuff, he said.

During the same address here in Las Vegas on Saturday, Kaminsky, who also goes by the name Effugas, received a big round of applause when he demonstrated live how to stream audio using DNS messages.

This hack involves a piece of custom-built server software that captures streaming audio in real time, then breaks it into chunks and encodes it, before storing it in the TXT (arbitrary text) field of a DNS record.

There’s enough space in this TXT field for about 880 milliseconds of 2Kbps audio, Kaminsky said. He demonstrated that this is sufficient to carry a comprehensible voice stream when using the Speex audio compression protocol.

A BIND DNS server can be configured to quickly rotate records, continually adding the next chunk of the audio. Some more custom software at the client side does rapid DNS lookups and reassembles the audio data from responses it receives.

Kaminsky said that he did not expect this technique to be useful, but it turns out to create efficiencies on the origin site’s bandwidth, due to how DNS records are normally cached at name servers around the Internet.

Kaminsky has made a collection of his DNS tools available for download at his website,

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.