IP Tunneling Through Nameservers

I'm always interested in seeing protocols extended to do silly (and in many cases, not so silly) things that they were never intended to do. I've seen DNS extended to do a lot of crazy stuff, but until today, the coolest was DNS server based MUDs. Read on to read about an IP tunnel implemented through DNS. Its crazy.

FrodoID (for Skyp and FrodoID) writes "In many countries, it is possible to use the Internet completely free of charge using Microsft PPP dialin numbers. These numbers, of course, normally won't allow you to do this.

But did you know that you can build up a fullfeatured and even bidirectional IP tunnel through Nameservers? Yes, that's right: "IP-over-DNS".

Using some toll free numbers which normally only allow outgoing packets to some few chosen servers, you can now surf the internet - completely and doing everything you could do with your normal, fullfeatured internet account. Microsoft has some of those restricted, toll free numbers.

The reason is: Most of these Microsoft PPP dialins allow you to use a Nameserver. And DNS lookups are just another kind of communication between a server and a client - the client asking for information to the nameserver known to him, the server which has been asked forwards the information to another nameserver or directly to the nameserver responsible for the asked information, and the now contacted server answering through the same path back.

That still sounds very useless for tunneling, but think about encapsulating the IP packets into nameserver requests, and the answer contains the traffic of the other direction. The request would look something like a hostname lookup to "KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org" (you see, the traffic is being encoded to represent legal hostnames), the answer contains the payload in a TXT record. That way you can build a fully functional IP tunnel.

You just need a client and a fake nameserver - making up the two communication endpoints.

It was tricky - the DNS protocol seems a little bit chaotic and it only allows packets of 512 bytes - so you have to fragment. And it uses UDP and not TCP - so you have to implement some mechanisms to ensure that the fragments are reassembled correctly (you see, you basically need a protocol which reimplements some features of IP and TCP). Additionally, the client can "contact" the fake nameserver everytime it wants to send traffic out - but the server is only able to answer, never to send on it's own. So you need some polling, if you want it really bidirectional.

We called the protocol used to achieve all this the "NSTX Protocol", meaning "Nameserver Transfer Protocol". The uglyness of the DNS protocol (just look at the headers: no alignment and no padding!) and the fact that we tried to use it in a way it really never was designed for (after all, remember that DNS is more like a phonebook than a communication facility) didn't make the design and implementation of NSTX easier at all.

But finally, we've done it. And with a toll-free Microsoft PPP dialin number in Germany (which of course only allows the download of some patches etc.) it worked - surprisingly stable and not even slow.

Think about it - many companies have "closed" networks which also don't allow outbound connections, but they have a nameserver in the same network that can resolve any hostname out there. That way you could also use the tunnel to establish a bidirectional communication path between the secured network and the outside world, where it wouldn't have been possible.

For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of, just take a look at http://nstx.dereference.de where you can find the full source code. It implements a client and a fake nameserver for both tunnel endpoints of an "IP-over-DNS"-tunnel. Both use the Linux Ethertap device for giving you a tunnel network interface. The server is a fake nameserver fully compliant to the DNS specifications and the client issues the requests, also using intelligent timing mechanisms for polling queued traffic from the server.

Maybe security managers in companies should look if they have nameservers in places where they better shouldn't have.

And maybe you also like the idea of using the internet using a toll free Microsoft dialin number, completely at no charge."

Re:Just so that everyone knows, this may be for re

Wonder what wonders they'll come up with next.

A slashdot semi-hidden-sid [slashdot.org] tunnel! It could easily be anonymous, and it could be encrypted too -- pretty neat, huh? The only problem is that you could only send one message every 70 seconds. But if you had a class C if IP addresses available you might be able to post faster.

--

Re:Just so that everyone knows, this may be for re

You may have missed the Pigeon Tunnel as shown in RFC 2549.

Link Here. [isi.edu]

They CAN get you...

... with the same law they used to get Morris (author of the internet worm) and the virus writers. (Sorry, I don't recall the name of it at the moment.)

Unauthorized use of somebody else's computer resources, at least in the United States, is a federal felony. It has nasty penalties.

DNS servers are provided to perform DNS lookups. Using them as an IP tunnel is obviously far beyond their authorized use. It should be trivial to convince a jury that the conditions of the law are met.

And the law was in place and tested in court long before the DCMA was a gleam in the software industry's eye.

Just Like Collect Calling

Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".

Re:Perfect timing...

pb said: Babelfish is a proxy; you can use it to load blocked sites by having altavista do the heavy lifting.

Oh. Thanks, hadn't thought of it like that.

Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.

The point of having Internet access shouldn't be what not to use. I don't use my work phone to call 900 numbers; I don't need to be told not to.

If an employee is wasting company time looking at porn, blocking his access isn't going to improve his performance. You have an individual problem -- a problem that his manager should have the balls and training to deal with.

When management gets weak, they start putting the thumbscrews to the employees.

"Praise in public, punish in private." Words to live by. Also "Don't punish the group." Break either of those rules and you're not a good manager.



OK, I'm done bitching but typing the above has given my brain time to react. So here's my idea: Babelfish should have a "http://babelfish.altavista.com/cyberpatrol" area (and ".../netnanny", etc.), which has that software's settings in it. Then companies could open their firewall to that subtree of BabelFish, so their employees could translate without masturbating.

Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.

You have to turn political to get anything done.

--

The bigger questions...

Egads. This story really raises many questions for me.

• Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?
• Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.
• Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this? Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
• Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel, and absurd as "Enlightenment on a Palm III!"

Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities. But dammit, folks, sometimes you ought to ask yourselves "Should I spend my energies and time on this?" before too quickly (and I realize we're all guilty of this at times) diving into the Sea Of Details known as how.


Andy

Babelfish does NOT proxy graphical porn

Far from it, hun. Babelfish only translates the text. It does not translate the IMG tags other than to modify the source, so that the source still comes from the original site. Try to translate a porn site and "view image" on any of the graphics. Look at the URL for the graphic.

So while your pornographic novel might be translated to French for you, the actual image is blocked by your local Net Nanny.

I think the REAL reason Babelfish is blocked, is because it allows you to read all the foreign "dangerous opinions" that you're not supposed to know about. I mean... what would Americans do if they found out that Europeans have more vacation time than they do?

This is actually useful

There are quite a few countries (mostly in the Middle East) where most or all of the internet traffic runs through the government's censor/monitor servers that make CyberPatrol look like freedom. And when they come knocking on your door cause they don't like what you are posting they don't file injunctions, they execute you.

Take a look at this page [ijs.co.nz]. You'll see what has to be done to get a secure and free internet connection. Now imagine adding this DNS hack to the arsenel. Until the shortminded people monitoring you catch on, you don't have to worry about losing the open port you've been using and can spend more time covering your tracks and communicating your ideas to the free world (or downloading hot Arabian pr0n).

So it does have a use. And it is a nift hack.

Re:Just Like Collect Calling

Heh, so long as you don't get a real operator you're safe...

Operator: What Number?
Me: *plays dumb and keys in the number*
Operator: You have to say it hun...
Me: six one oh ...
Operator: Your Name?
Me: Come Pick Me Up
Operator: No, I want your real name..
Me(asian voice): Cum PackMup!
Operator: no no no, I want your *real* name!
Me: Cum PackMup, me no understandy
*click*

finally some free stuff from micro$oft

mmm free internet access from microsoft... guess we don't need MSN anymore :) i wonder when people will start distributing this hack by mass-mailing CDs to every home in the country.

Re:So where is the link...

Well, lemme try this karma-whoring thing out for a change (grin).

Link one: http://www.kanga.nu/arch ives/MUD-Dev-L/1998Q4/msg00164.php [kanga.nu]

Link two: http://www.samurai.com/list s/bryans-list-1998/0398.html [samurai.com]

I haven't tried it because I'm stuck on a windows box without a decent nslookup but it looks simple enough.

Just so that everyone knows, this may be for real.

There was this little item in Bugtraq that I stumbled across while trying to hit thier site (doing a Google search for "DNS tunnel")- seems someone previously did a demo of this exploit with the intents of putting in Phrack, deciding to put it up in Bugtraq instead.

Look here [neohapsis.com] for the info in question.

Letsee now...

HTTP Tunnel.
Mail Tunnel.
Now, DNS Tunnel.

Wonder what wonders they'll come up with next.

How about fingerd as the poor man's web server?!

In the early days of the web, our local paranoid sysadmin said "no, absolutely not" to running a web server (then, NCSA, well before apache). And official policy was that we (the users) not run it either on non-priveleged ports. Anonymous ftp was also banned. Our sysadmin was a true BOFH. However! The system *did* support finger. So I thought to put one and only one HTML page into my .plan file. And access it with a funky URL:

http://hostname.tld:79/\ userid

Note the space preceeding the userid.

Totally wrong protocol to send to finger yet it worked. The HTTP protocol sends a "GET / userid HTTP/1.0" to the finger daemon. Luckily fingerd supports multiple userid lookups at the same time. Naturally 'GET' and '/' and 'HTTP/1.0'resolve to invalid users, but userid retrieves the .plan file!

Since HTTP ignores stuff preceding the <HTML> tag, my web page rendered correctly! From a system where such things were prohibited! Woo hoo! In your face Woods (the sysadmin back then)! Of course, few people cared back then as the web was a whacked far out academic project. Gopher was the big thing back then. Blargh.

This is ridiculous!

You have to run this software as a nameserver. A fake nameserver, granted, but a nameserver nonetheless. To do this, you have to have a working bidirectional TCP/IP connection.

So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.

I guess this is cool just for the sheer niftiness of running data through DNS; I'm sure this will soon be implemented as yet another steganographic protocol, but this isn't too useful, even for ripping off Microsoft.

Not quite free, but can be "free" access anywhere

but the operators of this fake nameserver would completely saturate a T1 with only 46 simultaneous 33.6 connections.

But it would be useful if you had one of these set up, since then you could use it for your own "free internet access" in other cities if you travelled a lot.

Also, there is another useful application of this: If you set up the target location of one of these in another country, one that doesn't cooperate with foreign authorities in tracking people down, you could have a way to communicate with the rest of the world in an (almost) untracable way.

For example, Mr. A and Mr. B are planning a revolution in a totalitarian state. It's too dangerous for them to use standard internet access, since it can be traced right back to them.
Instead, they get one of these DNS tunnels set up in some country that has no ties (or, even better, animosity) with their current country.
Then Mr. A and Mr. B can call up toll free numbers in various countries and transfer email back and forth in untracable ways to organize the revolution.

Damn! What a cool hack!

I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?

Don't get me wrong, I am all for maximizing the available anonymity of the net, but we really need a hack that has the same effect, but which uses a standard server.

All in all, I'll buy the person who though of this a beer any time he or she is in town...

Re:So basically....you're wrong

This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have. Your whole spiel about being legitimate is a good point, BUT, whats the point of being legitimate if the "legitimate" people are creating crap.
I for one applaud all sorts of cracking and abuse on the internet because it only leads to a better stronger entity. The more people go about messing with everyone elses equipment/software the more those people will improve on their goods. Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.

My piece is said.