Secure Tunneling of DNS Requests
David Arnstein
arnstein at panix.com
Thu Oct 6 18:50:35 UTC 2005
I realize that this post is somewhat off-topic for comp.protocols.dns.bind.
I would be grateful if someone would suggest a more appropriate forum
for this discussion. But please note that comp.protocols.dns.ops appears
to be well and truly dead.
I am thinking about writing some software to support the forwarding of
DNS requests through a secure tunnel (for example, using ssh and/or
stunnel).
The typical application of such software involves using a web browser
on a LAN that the user does not trust. In such a case, the user might
create a tunnel to a computer that he does trust, using ssh. Then he
would configure his web browser software to use ssh as a HTTP proxy.
The problem in the above example is that the web browser still sends
DNS requests over the untrusted LAN. This would allow a hostile party
to track the user's web browsing activities.
I don't want to limit my attention to web browsers though. I can
tunnel just about any TCP/IP traffic through ssh. The attendant
DNS queries could all be tunneled as well.
The challenge in writing DNS tunneling software is that the DNS protocol
operates over UDP, and most (if not all) tunneling software is written
for TCP.
I have a loose plan to use an existing DNS forwarding project such as
dnrd (hosted at Source Forge) as a point of departure.
In any case, before I begin, I solicit comments. Do similar projects
already exist? I will greatly appreciate your general suggestions as
well.
--
David Arnstein |
arnstein+usenet at pobox.com |
More information about the bind-users
mailing list