Forgot your password?
typodupeerror
The Internet

IP Tunneling Through Nameservers 175

Posted by CmdrTaco
from the surfing-for-free dept.
I'm always interested in seeing protocols extended to do silly (and in many cases, not so silly) things that they were never intended to do. I've seen DNS extended to do a lot of crazy stuff, but until today, the coolest was DNS server based MUDs. Read on to read about an IP tunnel implemented through DNS. Its crazy.
FrodoID (for Skyp and FrodoID) writes "In many countries, it is possible to use the Internet completely free of charge using Microsft PPP dialin numbers. These numbers, of course, normally won't allow you to do this.

But did you know that you can build up a fullfeatured and even bidirectional IP tunnel through Nameservers? Yes, that's right: "IP-over-DNS".

Using some toll free numbers which normally only allow outgoing packets to some few chosen servers, you can now surf the internet - completely and doing everything you could do with your normal, fullfeatured internet account. Microsoft has some of those restricted, toll free numbers.

The reason is: Most of these Microsoft PPP dialins allow you to use a Nameserver. And DNS lookups are just another kind of communication between a server and a client - the client asking for information to the nameserver known to him, the server which has been asked forwards the information to another nameserver or directly to the nameserver responsible for the asked information, and the now contacted server answering through the same path back.

That still sounds very useless for tunneling, but think about encapsulating the IP packets into nameserver requests, and the answer contains the traffic of the other direction. The request would look something like a hostname lookup to "KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org" (you see, the traffic is being encoded to represent legal hostnames), the answer contains the payload in a TXT record. That way you can build a fully functional IP tunnel.

You just need a client and a fake nameserver - making up the two communication endpoints.

It was tricky - the DNS protocol seems a little bit chaotic and it only allows packets of 512 bytes - so you have to fragment. And it uses UDP and not TCP - so you have to implement some mechanisms to ensure that the fragments are reassembled correctly (you see, you basically need a protocol which reimplements some features of IP and TCP). Additionally, the client can "contact" the fake nameserver everytime it wants to send traffic out - but the server is only able to answer, never to send on it's own. So you need some polling, if you want it really bidirectional.

We called the protocol used to achieve all this the "NSTX Protocol", meaning "Nameserver Transfer Protocol". The uglyness of the DNS protocol (just look at the headers: no alignment and no padding!) and the fact that we tried to use it in a way it really never was designed for (after all, remember that DNS is more like a phonebook than a communication facility) didn't make the design and implementation of NSTX easier at all.

But finally, we've done it. And with a toll-free Microsoft PPP dialin number in Germany (which of course only allows the download of some patches etc.) it worked - surprisingly stable and not even slow.

Think about it - many companies have "closed" networks which also don't allow outbound connections, but they have a nameserver in the same network that can resolve any hostname out there. That way you could also use the tunnel to establish a bidirectional communication path between the secured network and the outside world, where it wouldn't have been possible.

For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of, just take a look at http://nstx.dereference.de where you can find the full source code. It implements a client and a fake nameserver for both tunnel endpoints of an "IP-over-DNS"-tunnel. Both use the Linux Ethertap device for giving you a tunnel network interface. The server is a fake nameserver fully compliant to the DNS specifications and the client issues the requests, also using intelligent timing mechanisms for polling queued traffic from the server.

Maybe security managers in companies should look if they have nameservers in places where they better shouldn't have.

And maybe you also like the idea of using the internet using a toll free Microsoft dialin number, completely at no charge."

This discussion has been archived. No new comments can be posted.

IP Tunneling Through Nameservers

Comments Filter:
  • Maybe someone outta extend this and write a napster client that'll use DNS ... so it can get around napster blocks ... tho i guess it mite be a bit slow ... and you could really only use it for getting mp3s ... it still would be awesome.
  • Because it translates websites you could tell it to translate your favorite porn site. Then you'd be able to see porn even with the porn-blocker in place.
  • Yeah, well Microsoft only provides these free numbers for people to download updates, so they only need to contact Microsoft's servers. So there's no reason why their DNS would need to forward requests, or even be connected to the Internet.
  • Additionally, you can tunnel a response by the binary encoded "yes/no" response - one bit at a time.

    Perhaps you could squeeze more bits into the datastream by timing the delay in response.
  • Shit. Forgot a "yes" response will actually cost you money. But encoding your data into the response delay would still work.

    OR - You could place a collect call back in reverse! I suppose you don't need a payphone to do this.

    hahahaha. How cheap can you get?
  • Huh? What are you worried about? How would you get in trouble for running a piracy site that allows downloading from a server you own? If anything, people actually downloading warez and accessing the latest child-Pr0n on your server might get in trouble, but I don't see how you would.

    - Steeltoe
  • The Email Bounce File System (EBFS)

    It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.


    Nice idea... but Microsoft doesn't bounce mail; if the email address doesn't exist, it just gets swallowed.

    Simon
  • There are situations like this anywhere...

    For instance Inland Revenue (UK version of IRS) billed me £2.00 I paid by cheque happily knowing that it would cost them around £100 to process it....

    Big companies and organisations are dumb. Basically this is because these days the computers run the humans.

    The computers says: "we are owed £0.02, collect. Expense is irrelevant"

    The operator says "Hm, more than my jobsworth to refuse to do that."

    Sad really.
  • You still need to register a domain name (in this case, mydnstunnel.org), and you need a DNS server with a permanent connection.

    These things cost money.
  • Ummm you already can run napster over this. Just connect your windoze box (or vmware) to your linux box and have linux do some NAT routing over the virtual device.

    Anyway why dont u just run napster on the machine that you were going to run your fake nameserver on and be done with it?
  • by dingbat_hp (98241)
    It's a Hack, in the classical sense. Of course it's a good thing.
  • But I managed to IP tunnel through spam. Seriously. You rely on a the laws of probability to ensure that a few people reply to the "remove me" link and inadvertently transfer data embedded in the message.

    Clueless newbies on AOL become the wiring in your very own highly obfuscated communication link. Kind of interesting from a philosophical viewpoint - people literally becoming part of the machine.

    Not very good ping times though....
  • That one didn't work for me exactly. It needed a little something in the while loop. After I added '' it worked great... here's my rendition:

    dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d

    Neat way of distributing, I must say. :)
  • dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(<>){print pack("H32",$_)}' | gzip -d

    And now I see why it didn't come out right... ok, this one works (the '< and >' were being interpreted as HTML tags).
  • You're not making any sense...
    It sounds to me like you're one of them programmers who went to school just to have a well-paying job. Let me ask you this: Do you have an Ethernet network in your house hooked up to the internet via DSL? Do you spend hours late at night reading source code to figure out how the heck a program works? Do you end up spending money on gizmos you dont really need just to take them apart and see how they work? Do you get a rush out of something you achieve and know it hasn't been done before? That's what hackers are all about. i believe that /. targets geeks and hackers mostly. If your dream is to develop enterprise web software on a Microsoft IIS/NT system, this is not the place for you.
    Again, no hard feelings, but I think your frustration comes from not fitting in.

    --------------
  • by Anonymous Coward
    The company I work for recently started charging $0.25 for soda and juice. I laugh everytime I get one because with the fairly long walk to the machine, I get paid about $4.00 to get myself a refreshment. And now I have to go six times as often since I can't conveniently grab a six pack anymore. You gotta love people for the same reason you gotta love fish. Because they're stupid.
  • Now, this is truly a "moby hack" and I'm very impressed. It strikes me that Microsoft (or whoever is providing the telephone line) could simply filter out DNS requests that aren't trying to find one of their servers.

    "they beam this information everywhere, all through the fucking air. You just gotta know how to grab it. Just got to know how to grab it." --Heat

  • Wonder what wonders they'll come up with next.

    A slashdot semi-hidden-sid [slashdot.org] tunnel! It could easily be anonymous, and it could be encrypted too -- pretty neat, huh? The only problem is that you could only send one message every 70 seconds. But if you had a class C if IP addresses available you might be able to post faster.

    --

  • So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.

    Well, it could be useful while travelling if you have a high-bandwidth computer at home. And anyway, who wouldn't give up 97% of their bandwidth just to use up Microsoft's resources?

    --

  • This sounds like a cool hack but
    If you dial in from here in the united states the number the call was placed from will be loged.
    Some fool will be dialing in from home, and the next thing that happens will be the man knocken on the door
  • Maybe Microsoft can bill the DNS server for the service.
  • by Orgasmatron (8103) on Sunday September 10, 2000 @06:07PM (#789679)
    You may have missed the Pigeon Tunnel as shown in RFC 2549.

    Link Here. [isi.edu]
  • Neat. I guess I should document and make available all the Evil Things (patent pending) I've done over the years:

    "Knight Rider" LED mode on a DEC terminal keyboard - prolonged execution tended to lockup the workstation

    IP over ICMP tunnel - done as a joke. You think IP over DNS is wicked...

    TCP connection flash start hack - instantly steal the connection from any other machine on the same network.

    NFS mass mounter - I actually locked up an AFS server with that one. (It's their own fault for using the AFS to NFS translator. Even Transarc runs when those words are spoken.)

    SCSI-IP - Yes, that's actually doable.

    dir-crusher - *grin* interesting utility to make huge directories. Eat someone's entire disk quota with a single empty directory. (That one almost killed an AFS server too.)

    And my personal fav...

    "NO CARRIER" ping - *evil grin* properly phrased ICMP echo packet with "+++ATH0" in it so the echo reply would hang up the user's modem. That doesn't work anymore -- modem speeds are too fast and most modems have a guard time.
    (It's too bad I didn't know the SDL flash start codes for USR modems then :-) And yes, those work at any speed and can lockup both user and ISP modems.)

  • was that after the food service company or the software company?
  • That's not a "tunnel" per se. It's a protocol: Clay Tablet by Carrier Pigeon. Too bad they are an endangered species -- too many lost tablets I guess. *grin*
    • mainstream: not particularly
    • because we can: mostly
    • slashdot material: definitely.
    • meaningful project: yes, there are lots of meaningful projects. Perhaps you should work on one now, rather than post to the timesuck which is /.
    • enlightenment on a palm iii: I'd love to see this, mostly for the hardware hacks which would have to be accomplished first.

    If you've never wasted time on a technical project solely because you wanted to see if you could do it, then you probably aren't that good of a geek anyway. I think most geeks have done some ludicrously unproductive things solely as mental exercises or even just as jokes. Who cares? If you want them to be productive then start a company and hire them. Until then, no, you're not their manager.
    ----------------------------

  • I did this as a joke years ago... old firewalls used to let ICMP traffic through unchecked. I might still have the changes to Linux *cough*1.0*cough* to do this.
  • search for http tunnel on freshmeat, can't be to hard...
  • This reminds me of the NCSU Telecommunications Office billing be for $0.00 - yes, -zero-. I threw it in the trash thinking nothing about writing them a check for $0.00. One week later I got a past due, pay this or we cut off your phone, bill again. I walked over to the Telecom office and wrote the b****es a check for $0.00. They never sent me another bill. Ever.
  • by Ungrounded Lightning (62228) on Monday September 11, 2000 @12:27PM (#789688) Journal
    ... with the same law they used to get Morris (author of the internet worm) and the virus writers. (Sorry, I don't recall the name of it at the moment.)

    Unauthorized use of somebody else's computer resources, at least in the United States, is a federal felony. It has nasty penalties.

    DNS servers are provided to perform DNS lookups. Using them as an IP tunnel is obviously far beyond their authorized use. It should be trivial to convince a jury that the conditions of the law are met.

    And the law was in place and tested in court long before the DCMA was a gleam in the software industry's eye.
  • I've got a thought to bounce off of all of you:

    Lots of small business use the DNS from an ISP, etc. I know some of the ones in my area and people i've consulted for that have their own router in their office, use private ip addresses (192.168.x.x, etc) but an outside DNS server. Most DNS servers can be reached from the public network, so what would stop someone from sending a request for a private network IP to the DNS server in question?

    For example, lets say there's a server on 192.168.1.1 in some guy's office. The router is set up to possibly masqurade, but allow a full connection to the ISP's DNS from the local server. Now using this concept, you could send a packet into the DNS requesting 192.168.1.1. The DNS server (i believe) will send it straight into the private network.

    By my logic, you can basically make a VPN though anyone's private DNS.

    --Justin
  • You ask
    is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.

    That sounds just like Linux so of course it's a slashdot story ;-)

  • The DNS (which is over UDP) is only transmitting IP packets, and it doesn't matter if some get lost. But in those IP packets (that are going over DNSUDPIP), there are tcp headers. And they give the computers on both ends the chance to make the transmission reliable. So the original poster is right, it doesn't have to be reliable...
  • I do the exact same thing. This is why I will always advocate ISDN: access to Q931 signalling data is heavenly. (No phone rings and no one is billed because the SETUP message is refused.)

    I also like being able to tell people they have the wrong number (by name) when they call. I do a reverse lookup on the number or refuse everything that doesn't have a number. That freaks people out.
  • It's free because the person doing it doesn't have to pay for it. Someone will have to pay for it, but as long as it's not us, who cares?! We all deserve free internet access, especially at the expense of Microsoft. It's perfect! <sarcasm off>
  • Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?

    "Because we can" exercises are often valuable. Science is largely dependent on them. You never know what will turn out to be useful.

    Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.

    This could represent a serious security hole, given a little thought. It's worth knowing about simply for that.

    Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities.

    I don't think that is nearly as true as it used to be. From what I can tell, not many people look to SlashDot any more for useful technical information (I know I don't). If there were more articles like this, the slide might be halted.

  • by Cato (8296)
    The original poster is probably talking about firewall administrators who have noticed more DNS traffic through their firewalls than normal - hence someone may be using this technique.

    This does illustrate the need for trend-based traffic monitoring (a la Concord) and even security-driven bandwidth restrictions - e.g. only allow your DNS traffic to increase by 50% in one day, or some such heuristic. These wouldn't necessarily stop such a covert tunnel but they would make it easier to find one, and slower to use one, giving the security admins more time to trace what is happening.

  • Nice hack, sadly most newer netscapes won't allow access to port 79 :-(.
  • Remember those tee shirts that said "IP over everything!" Those rocked. Anyone know where I can get one now?


  • DNS service has always been a fairly open, cooperative system; one envisions broad swathes of net unwilling to DNS serve strangers, in reaction to a percieved expoit.

    Like most good science these days, it's a beautiful idea and praxis - and has implications far beyond the original application...some exciting, glorious...some dark and forboding...

    heh. heh.
  • by dorzak (142233)
    That may explaine some recent things I have heard of. I know of at least 3 networks who have seen higher than normal loads on their DNS servers.

    It may not be up to playing quake but for playing a MUD, or getting e-mail it would be great.
  • Perhaps someone working for aol/compuserve can sneak it on their promo cd's
    In no time every single person on the whole planet will have at least ten copies for free.
  • ...for those DNS-based MUDs?

    - Ololiuhqui

    redheaded giant

  • by hanway (28844) on Sunday September 10, 2000 @06:10PM (#789702) Homepage
    Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".
  • What the f[s]ck is pornographic about foreign language translations?!!??!

    I believe the reasoning is that you could use the "Translate Web Page" option on BabelFish [altavista.com] to translate a porno site's page. Then, since the URL of the page you load comes from babelfish.altavista.com and not blockedpornsite.com, it gets past the filter proxy. What you get back is a page with a bunch of porno pics and some translated text, without setting off the filter proxy.

    So, I'm sure that's the suits' reasoning behind it. Of course, it's completely stupid, since there is a huge legitimate use for BabelFish (actually translating pages or text!). I don't agree with this decision at all, but I'm 99% sure it's why they chose to do so.

    BTW, good luck trying to convince them to remove CyberPatrol or, even better, get CyberPatrol to deblacklist BabelFish. But just think of all the warm fuzzies you'll have knowing that your inability to translate foreign languages is Protecting The Children (TM).


    --

  • This DNS tunnel is neat, especially since I have always been a fan for HTTP tunnels. The only reason to build a tunnel is to circumvent security. But one must remember the hacker ethic:

    It's ok to get around a little security in order to get more work done

    One great example of this is in a paranoid school or company that firewalls outgoing traffic. They allow telnet, but not SSH. My home machine only accepts SSH. (for obvious reasons) A little tunneling, and presto, I can secure shell to my home computer.

    Especially nifty is using http tunnel to establish a secure shell then using the secure shell to tunnel other protocols with encryption

  • Couldn't you hack out a pseudo-driver to pull tcp emulation over the udp connection , i.e. encapsulating the pseudo-driver's tcp request and shooting it through the program sending the udp datagrams and providing some error control. Then just make sure that both sides have regular querying so it goes both way's? That way almost all programs out there could use it, albiet slow and you may have to play around with some timeout values but it should work. Maybe call it the fums0 pseudo device?
  • by Thing 1 (178996) on Sunday September 10, 2000 @06:18PM (#789706) Journal
    pb said: Babelfish is a proxy; you can use it to load blocked sites by having altavista do the heavy lifting.

    Oh. Thanks, hadn't thought of it like that.

    Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.

    The point of having Internet access shouldn't be what not to use. I don't use my work phone to call 900 numbers; I don't need to be told not to.

    If an employee is wasting company time looking at porn, blocking his access isn't going to improve his performance. You have an individual problem -- a problem that his manager should have the balls and training to deal with.

    When management gets weak, they start putting the thumbscrews to the employees.

    "Praise in public, punish in private." Words to live by. Also "Don't punish the group." Break either of those rules and you're not a good manager.



    OK, I'm done bitching but typing the above has given my brain time to react. So here's my idea: Babelfish should have a "http://babelfish.altavista.com/cyberpatrol" area (and ".../netnanny", etc.), which has that software's settings in it. Then companies could open their firewall to that subtree of BabelFish, so their employees could translate without masturbating.

    Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.

    You have to turn political to get anything done.

    --

  • Apparently the number six translates into a questionable word in some languages. I must be protected from offensve numbers as a voter.
  • Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?
    Sure. I do believe the authors illustrated the use in their original posting.

    The reason? Why do you need a reason to play around with stuff like this? It's their time, they can do what they want with it.

    Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.
    It's Cool Shit. I thought it was interesting. There's gotta be a couple hundred other people who thought the same.

    I think that makes it postworthy.

    Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this? Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
    *shrug* There's nothing quite like programming for yourself to take the strain off your mind when you've been working for weeks on another project.
    Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel, and absurd as "Enlightenment on a Palm III!"
    I'm not sure how you'd get e's memory footprint small enough, but... It'd be cool.
  • bounce port 443 to 22, use ssh-tunnel.pl (http://www.squirrel.com/squirrel/ssh-tunnel.pl)

    why bother messing about with your transport when most web proxies hand you a circuit-level gateway for free? all you need is the perl script to negotiate with the proxy and hand your SSH client the connection. then forward, say, SOCKS traffic over the SSH link, or whatever.

    even more fun, of course, is inbound port forwarding -- leave WinVNC running on your workstation and connect into it from anywhere in the world as if there wasn't a firewall.

    most web proxies use a 2 or so minute timeout on inactive SSL connections, so forward X11 and put a proper clock on your corporate desktop.

    why hasn't anyone noticed this yet?
  • It doesn't really do a good job of being a proxy as it only translates text. Anonymizer [anonymizer.com] does a better job IMHO.

  • No. He's 'tunnelling' IP through DNS.
    As the IP tunnel contains both tcp, udp, and whatever else they want, then there is no reason to add your own sequencing; you are using TCP within the tunnel; and tcp will deal with any packet loss occurring at a lower layer (DNS/UDP) within the tunnel.

    What you end up with is ip(udp(dns(IP(TCP)))).
    lower-case indicates public protocols. upper case indicates tunnel contents.

    So dns is effectively acting as layer 2 as far as the encapsulated IP is concerned. So packet loss at DNS is not relevant, it would be seen as no different than packet loss due to ethernet or any other lower layer protocol.
  • If you can speak german, you should buy the c't.
    Unfortunately the article is not online.
  • Huh? What are you worried about? How would you get in trouble for running a piracy site that allows downloading from a server you own? If anything, people actually downloading warez and accessing the latest child-Pr0n on your server might get in trouble, but I don't see how you would.

    That was a completely specious argument. I can't see how running a DNS server that allows tunneling violates any law. Replacing the entire issue at question with an activity known to be illegal is not a valid analogy, it is simply asserting that you are correct.

    The key distinction here is that with a warez site, the action of downloading from the server inherently violates the law, and causes the server operator to violate the law by distributing the warez. However, there is nothing about tunneling that inherently violates any law. The people calling Microsoft PPP dialups and tunneling through your DNS might be violating some law about unauthorized use of computers, but that's hardly clear cut, since nobody's breaking into Microsoft's system.

    Obviously, if you were acting in concert with the people using Microsoft's dialups, and those people broke the law, you would be their accomplice, but I thought that went without saying. If you just set up one of these servers for the hell of it (or to bypass your firewall at work), and somebody uses it to do something illegal, I don't see why you'd be responsible. You can't possible know which IP addresses are from Microsoft dialups. Someone might call you negligent, but many admins do far more negligent things (like leave open mail relays) without being legally responsible for the resulting problems.

    More to the point, if someone uploads a bunch of warez to the incoming directory of your non-warez ftp site, and people download them, and you truly don't notice, you're not going to be sued for copyright infringement.

  • Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.

    So use another translator site, like translator.go.com [go.com] instead!

    --

  • you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah

    That's nothing. There is a certain modem manufacturer (I will not name) that used to allow total Internet access through their test line, no fancy DNS hack required. Of course they didn't advertise that fact. I was connected to it and tried typing in a regular URL into the browser, and whaddya know--it worked. The test line remained active for at least several months, and may still be active for all I know. It was never terribly difficult to connect to it, so it was presumeably not abused. I offer that as living proof that security through obscurity is at least marginally effective.

  • not exactly IP, but still damn cool:
    http://sunsite.auc.dk/RFC/rfc/rfc1217.html
  • <I>So I thought to put one and only one HTML page into my .plan file. And access it with a funky URL: http://hostname.tld:79/\ userid</I>

    Alas, it doesn't work if your finger performs an identd lookup (like on my Debian system). It also only works if your web browser passes the space through unaltered; my Mozilla replaces it with %20. But a neat trick, nonetheless.

    But for clandestine web servers... in most cases you need go no further than good ol' gopher, commonly known as the Web that Didn't Make It. All web browsers I've seen today support the gopher protocol; hardly anybody knows about it so your cable provider's HTTP-server detectors won't pick it up; it only supports plain text and menus, but hey, in most cases that's a bonus. Support your local gopher!
  • This is a pretty worthless idea. It relies on you having control of a machine which is capable of serving ns requests. Instead of hacking a ns daemon to do the dirty work the far more obvious and workable approach is to have some other daemon listening on port 53 at the remote end.

    Any filtering being done will either be on the dialup box (Ascend TNT, Bay 5399, etc) or on the router it hangs off (Cisco 2500, 7200, Bay^Wno one uses bay routers, whatever other vendor). The filters in these things will recognise port and type (udp/tcp), they cannot recognise the application protocols encapsulated within the packets.

    If 53/tcp is allowed through the filters you're set - sshd on the remote end listening on port 53 and you can happily run pppd through a secure session. (or telnet instead of ssh if you wished)

    If it's not, then find/make something that will use udp port 53. This is pretty much the same in effect, difference being you're implementing tcp-like reliability within your application.

    Either way, it's better than dealing with the overhead of dns.
  • I had a similar setup on my home machine when I had ISDN. I'd call the machine (on its own MSN, so phones in the house wouldn't ring) and it wouldn't pick up. Instead it would check the caller's number and if it was my cellphone, the machine would go online and post its ip address somewhere I could get at it.
    --
  • We all deserve free internet access

    Just like we all deserve free phone service and free cable access.

    You can get free Internet access now without stealing it. It may not be as fast, nice, or convenient as paid for Internet access, but sometimes in life, to get something of higher quality, you may have to pay a little more. (My apologies for sounding like a troll)

  • Not really a faq, but httptunnel [it's on nocrew.org somewhere] does wonders through my university's CS labs proxy. Our web access is restricted [no non-.nz sites], and as I've got a cable modem with static IP at home, more recently I've been reading slashdot from there via HTTP over SSH over HTTP :)

    Note that you really do need that SSH in there to do port forwarding, because httptunnel will only allow one connection at a time.

    --
  • You could also set up SSL telnet. It's probably not as secure as SSH, but mine does a 512-bit secure key exchange on connection (really need to make that be 1024). Not all clients support it, but if they do, you can do secure comm through telnet.

    Of course, you could also just put ssh on port 23. If there's nothing there, nothing lost by putting ssh there.

    Or you could do a one-time key thing with usernames/passwords then establish a secure connection after login if need be (I personally don't really care if someone reads my email/ICQ/AIM/IRC in transport, that being what I do through such connections anyways). Mmm, tunelling through telnet...
    ---
  • Hey, I completely agree; the same arguments apply in the home, too. (manager->parent; employee->child)

    There are a couple of other solutions, too. If you actually filter incoming *content*, then you can block what actually gets to the user; this could be done by having a proxy/firewall for the business, and only allowing web access to that. (unless you implement, say, a DNS/HTTP tunnel, or something equally ludicrous. ;)

    The problem with that is, content filtering doesn't work very well. Often, people can't correctly identify or distinguish offensive material from art or literature, or have differing opinions, ("Huckleberry Finn", for example; I say it is literature, and relatively accurate period historical fiction; other people obviously don't know enough about the period...) so you really can't expect a computerized regexp parser to be even *that* good. ...and when it comes to analyzing, identifying and parsing images, well, a 5-year-old does a better job of that, still.

    Therefore, we've already shown that filtering by URL often doesn't work, and accurate content filtering is pretty much impossible with today's technology, so it's gonna be unfair, and it's not the answer.

    However, I believe you can buy software like babelfish from SYSTRAN [systransoft.com], so suggest that to your boss instead. Heck, it'd probably be quicker to do it locally, and more full-featured as well.
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • Actually, adding your own sequencing should not be necessary, as mentioned here. You do not need to guarantee delivery; tcp will take care of that.
    All you need is a somewhat reliable packet delivery system.
  • Well, if someone sets up a DNS server somewhere with a static IP and runs this NSTX protocol on it, and gives out its IP, then anyone an access the internet through PPP dialups anywhere. No one said the server running the tunnelling protocol has to be YOUR server.

    Spyky
  • by apk (120253) on Sunday September 10, 2000 @06:40PM (#789733)
    Egads. This story really raises many questions for me.

    • Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?
    • Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.
    • Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this? Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
    • Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel, and absurd as "Enlightenment on a Palm III!"
    Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities. But dammit, folks, sometimes you ought to ask yourselves "Should I spend my energies and time on this?" before too quickly (and I realize we're all guilty of this at times) diving into the Sea Of Details known as how.


    Andy
  • "For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of"

    Please read any firewall-piercing-FAQ. I've personally seen a secure shell implemented over DNS queries in 1996 and it wasn't anything even then.
  • by elgardo (117823) on Sunday September 10, 2000 @06:43PM (#789749) Homepage
    Far from it, hun. Babelfish only translates the text. It does not translate the IMG tags other than to modify the source, so that the source still comes from the original site. Try to translate a porn site and "view image" on any of the graphics. Look at the URL for the graphic.

    So while your pornographic novel might be translated to French for you, the actual image is blocked by your local Net Nanny.

    I think the REAL reason Babelfish is blocked, is because it allows you to read all the foreign "dangerous opinions" that you're not supposed to know about. I mean... what would Americans do if they found out that Europeans have more vacation time than they do?
  • by crisco (4669) on Sunday September 10, 2000 @06:45PM (#789750) Homepage
    There are quite a few countries (mostly in the Middle East) where most or all of the internet traffic runs through the government's censor/monitor servers that make CyberPatrol look like freedom. And when they come knocking on your door cause they don't like what you are posting they don't file injunctions, they execute you.

    Take a look at this page [ijs.co.nz]. You'll see what has to be done to get a secure and free internet connection. Now imagine adding this DNS hack to the arsenel. Until the shortminded people monitoring you catch on, you don't have to worry about losing the open port you've been using and can spend more time covering your tracks and communicating your ideas to the free world (or downloading hot Arabian pr0n).

    So it does have a use. And it is a nift hack.


  • Forget about free dial-up access, this has other wonderful uses, such as bypassing corporate firewalls.

    If you're on an internal network, no matter how protected it may be by firewalls, routers, etc., as long as you can make DNS queries to public systems, you can tunnel out. Combine this with ssh and you've got yet another way for internal data to untraceable escape your network.

    I can imagine lots of network managers getting a headache after reading this and rushing to review their firewall rules.

    The next step would be to see how this might work through an intermediary DNS server in cases where you can only access an internal name server which is the only system allowed to query external nameservers. Might need a ttl of 0 though, don't know if that would be respected.

  • by linuxonceleron (87032) on Sunday September 10, 2000 @06:54PM (#789755) Homepage
    Heh, so long as you don't get a real operator you're safe...

    Operator: What Number?
    Me: *plays dumb and keys in the number*
    Operator: You have to say it hun...
    Me: six one oh ...
    Operator: Your Name?
    Me: Come Pick Me Up
    Operator: No, I want your real name..
    Me(asian voice): Cum PackMup!
    Operator: no no no, I want your *real* name!
    Me: Cum PackMup, me no understandy
    *click*

  • why don't you just run a ssh daemon on your home machine, on a port that they do allow, like the telnet or http one?
  • Where do you work? Just curious...
  • Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
    Microsoft's an odd choice for that example. They're actually one of the more enlightened employers out there.
    Microsoft only screws its customers, it treats employees quite well.
    Pity the 3 main campuses are in the middle of nowhere.
    --Shoeboy
  • by Jrod5000 at RPI (229934) on Sunday September 10, 2000 @05:40PM (#789778)
    mmm free internet access from microsoft... guess we don't need MSN anymore :) i wonder when people will start distributing this hack by mass-mailing CDs to every home in the country.
  • by JArneaud (25121) on Sunday September 10, 2000 @05:43PM (#789779) Homepage
    Well, lemme try this karma-whoring thing out for a change (grin).

    Link one: http://www.kanga.nu/arch ives/MUD-Dev-L/1998Q4/msg00164.php [kanga.nu]

    Link two: http://www.samurai.com/list s/bryans-list-1998/0398.html [samurai.com]

    I haven't tried it because I'm stuck on a windows box without a decent nslookup but it looks simple enough.

  • I don't think so. You can send the request to the PPP provider's DNS servers. It doesn't have a cached address for KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org, so it asks a root server who can resolve addresses for mydnstunnel.org. Then it passes the query on to that server (yours) and passes the response back to the client (you).

    The fix is to strip out TXT fields in forwarded DNS replies, but that would probably break some other RFC.

    --
  • by Svartalf (2997) on Sunday September 10, 2000 @05:44PM (#789783) Homepage
    There was this little item in Bugtraq that I stumbled across while trying to hit thier site (doing a Google search for "DNS tunnel")- seems someone previously did a demo of this exploit with the intents of putting in Phrack, deciding to put it up in Bugtraq instead.

    Look here [neohapsis.com] for the info in question.

    Letsee now...

    HTTP Tunnel.
    Mail Tunnel.
    Now, DNS Tunnel.

    Wonder what wonders they'll come up with next.
  • This isn't about the "freeness" of it ... it is an excellent illustration that "information is information", and that any one type of information can be disguised as another type of information.

  • by SlushDot (182874) on Sunday September 10, 2000 @07:32PM (#789793)
    In the early days of the web, our local paranoid sysadmin said "no, absolutely not" to running a web server (then, NCSA, well before apache). And official policy was that we (the users) not run it either on non-priveleged ports. Anonymous ftp was also banned. Our sysadmin was a true BOFH. However! The system *did* support finger. So I thought to put one and only one HTML page into my .plan file. And access it with a funky URL:

    http://hostname.tld:79/\ userid

    Note the space preceeding the userid.

    Totally wrong protocol to send to finger yet it worked. The HTTP protocol sends a "GET / userid HTTP/1.0" to the finger daemon. Luckily fingerd supports multiple userid lookups at the same time. Naturally 'GET' and '/' and 'HTTP/1.0'resolve to invalid users, but userid retrieves the .plan file!

    Since HTTP ignores stuff preceding the <HTML> tag, my web page rendered correctly! From a system where such things were prohibited! Woo hoo! In your face Woods (the sysadmin back then)! Of course, few people cared back then as the web was a whacked far out academic project. Gopher was the big thing back then. Blargh.

  • This opens up a LOT of posibilities... Most companies do not log DNS queries, at all... NSTX along with SSH are almost a guarenteed way to hide traffic going in and out of a firewall in most companies...

    Also, as far as i know, most firewalls that implement stateful inspection, do not support statefully inspecting DNS queries... (im going to have some fun with this little program ;) yyesss!
  • I think I've seen this mentioned somewhere in Phrack while I was doing searches on something else. Nobody, however, has bothered to "officially" implement this sort of tunnel (but with Ethertaps and PPP tunneling, I'm surprised that someone hasn't...)
  • Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?

    This could be used by people trapped behind the Great Firewall of China to access "subversive" material.

  • I've posted it once before on slashdot, but what the hell.

    The Email Bounce File System (EBFS)

    It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.

    Somebody once mentioned to me that this wouldn't work on some systems, that mail gets cached somewheree on the way, but the point is, it's not on my hardware, so why should I care?
    Right?

    Right?


  • If I really wanted to, I could just stop allowing dns queries for external hosts. Then internal users can only query for internal hosts, e.g. xxx.mydomain.com

    It won't break anything. Things will still work - http, ftp, smtp. Because they are all via proxies. The proxies do the work.

    Right now I just allow it for convenience.

    The viable way to tunnel through this is via http or ftp, however if username-password authentication is required (like it is here), such abuse is unlikely.

    In fact with the username-password system, you don't really need to bother filtering out sites, you just warn the relevant users if they're going too far - e.g. if warez/mp3 sites keep popping up in the logs and the pipe is congested, and the bosses start to notice and ask questions...

    Cheerio,
    Link.
  • by Darkforge (28199) on Sunday September 10, 2000 @05:44PM (#789806) Homepage
    You have to run this software as a nameserver. A fake nameserver, granted, but a nameserver nonetheless. To do this, you have to have a working bidirectional TCP/IP connection.

    So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.

    I guess this is cool just for the sheer niftiness of running data through DNS; I'm sure this will soon be implemented as yet another steganographic protocol, but this isn't too useful, even for ripping off Microsoft.

  • by The Rizz (1319) on Sunday September 10, 2000 @05:45PM (#789807)
    but the operators of this fake nameserver would completely saturate a T1 with only 46 simultaneous 33.6 connections.

    But it would be useful if you had one of these set up, since then you could use it for your own "free internet access" in other cities if you travelled a lot.

    Also, there is another useful application of this: If you set up the target location of one of these in another country, one that doesn't cooperate with foreign authorities in tracking people down, you could have a way to communicate with the rest of the world in an (almost) untracable way.

    For example, Mr. A and Mr. B are planning a revolution in a totalitarian state. It's too dangerous for them to use standard internet access, since it can be traced right back to them.
    Instead, they get one of these DNS tunnels set up in some country that has no ties (or, even better, animosity) with their current country.
    Then Mr. A and Mr. B can call up toll free numbers in various countries and transfer email back and forth in untracable ways to organize the revolution.

  • by Archeopteryx (4648) <[moc.xobop] [ta] [hcrubneb]> on Sunday September 10, 2000 @05:46PM (#789808) Homepage
    I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?

    Don't get me wrong, I am all for maximizing the available anonymity of the net, but we really need a hack that has the same effect, but which uses a standard server.

    All in all, I'll buy the person who though of this a beer any time he or she is in town...
  • So how long until some maker of domain servers sends them a cease-and-desist letter?

    Sometimes the current legal climate, re DeCSS, the CueCat, et al, makes me wish all the good hackers knew how to stay underground instead of posting websites everywhere saying "700k 4t m3! 1 m4d3 4n 0p3n 50urc3 h4xxx0r!!!" It's the kind of thing that causes bad laws to be passed.

    (before you flame, realize my tounge is planted halfway in cheek....)

  • you're right; i was only kidding, so what we need here is a hack that somehow bills the cost of pressing and mailing to microsoft...
  • by pabstblueribbon (219033) on Sunday September 10, 2000 @10:31PM (#789815)
    This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have. Your whole spiel about being legitimate is a good point, BUT, whats the point of being legitimate if the "legitimate" people are creating crap.
    I for one applaud all sorts of cracking and abuse on the internet because it only leads to a better stronger entity. The more people go about messing with everyone elses equipment/software the more those people will improve on their goods. Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.

    My piece is said.
  • Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".

    A similar scheme: several websites (such as webwirelessnow.com [webwirelessnow.com]) are offering interesting free services for cell phone users who can recieve text messages for free.

    First, the user signs up on the website and gives their phone number, what types of news they're interested in, what stocks they want to keep track of, etc. Then whenever they want updated information, they call a phone number belonging to the company and hang up immediately after the first ring. This is enough time for the internet company to determine the phone number of the caller, and within a minute the cell phone user recieves a text message with the desired information.

    --

  • Or because some corporate firewalls verrify that that traffic is really HTTP, not just check the port number.
    --
  • If you read the article that's what he did. They emulated the guaranteed delivery of TCP on top of the fire-and-forget connection that was provided by the DNS conduit.
    --
  • Once, while visiting the mens room on the second floor of building 11, I noticed a spent packet of lubricating jelly left behind by a previous inhabitant of the stall.
    I'm not sure if there was any translation going on, but it seems plausible.
    --Shoeboy
  • At the very least this is another "proof of concept." Encapsulating traffic in unexpected places (HTTP, DNS, or even ICMP traffic) is neat stuff. It's also important from a security standpoint. Many firewalls pass DNS traffic unrestricted through UDP port 53 (DNS.) If you manage a network where users might be able to do this, then this kind of information is good stuff to know.

    BTW, one of the reasons Slashdot is as popular as it is is because they know which articles are most interesting to the bulk of their readers--why do people still keep second guessing them?

    numb

"Just the facts, Ma'am" -- Joe Friday

Working...