Building on the concept of tunneling, Avaya senior security consultant Dan Kaminsky showed a packed audience at the DefCon hacker’s conference in Las Vegas how DNS’s ubiquity permits some interesting tricks.
DNS is similar to HTTP in that firewalls generally ignore it, Kaminsky said. Protocols such as SOAP tunnel over HTTP for precisely this reason, which has given rise to a whole industry of HTTP-inspection firewalls and gateways.
DNS is such a permeable protocol, it’s let through by almost everybody, Kaminsky told ComputerWire. It’s been known for a long time you can use DNS to get out of networks… one of the things the research shows is how you can get back in.
Kaminsky did not demonstrate a way to compromise computers. Rather, he demonstrated how DNS queries can be used as a covert control channel into behind-the-firewall machines that have already had Trojan programs installed on them.
I know there is malicious code already out there that uses DNS as a control channel, Kaminsky said. His DefCon presentation referred to rumors of botnets of compromised machines. Such botnets need a way for their owner to control them.
These computers would listen for instructions in DNS messages, which would be less noisy and noticeable than other means. Botnets often to connect to Internet Relay Chat channels to receive instructions.
What Kaminsky demonstrated was a way to pass arbitrary data through firewalls, using the fact that firewalls generally don’t block or check DNS traffic, and that many DNS servers on the internet are very trusting.
In this scenario, the hacker sends a DNS query for a domain he controls to a DNS server controlled by the target network. This server sends the request back out into the internet, where it finds the hacker’s DNS server, which returns an address within the target network.
The target DNS server will pass the DNS query, with its control payload, to the Trojaned host on its own network. This technique requires the DNS server to be configured in a certain way, Kaminsky said, but there are other techniques that also work.
I’m not suggesting that people start blocking DNS, but at least they could start monitoring it for strange stuff, he said.
During the same address here in Las Vegas on Saturday, Kaminsky, who also goes by the name Effugas, received a big round of applause when he demonstrated live how to stream audio using DNS messages.
This hack involves a piece of custom-built server software that captures streaming audio in real time, then breaks it into chunks and encodes it, before storing it in the TXT (arbitrary text) field of a DNS record.
There’s enough space in this TXT field for about 880 milliseconds of 2Kbps audio, Kaminsky said. He demonstrated that this is sufficient to carry a comprehensible voice stream when using the Speex audio compression protocol.
A BIND DNS server can be configured to quickly rotate records, continually adding the next chunk of the audio. Some more custom software at the client side does rapid DNS lookups and reassembles the audio data from responses it receives.
Kaminsky said that he did not expect this technique to be useful, but it turns out to create efficiencies on the origin site’s bandwidth, due to how DNS records are normally cached at name servers around the Internet.
Kaminsky has made a collection of his DNS tools available for download at his website, doxpara.com.