Data exfiltration using DNS RPZ

Grant Taylor gtaylor at
Sun Jun 17 17:07:49 UTC 2018

On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
> DNSSEC can be used for infiltration/tunneling (when you get data from a 
> DNS servers) but there is a catch that such requests can be easily dropped.

Will you please elaborate and provide a high level overview of how 
DNSSEC can be used for infiltration or tunneling?

It is my understanding that DNSSEC is just a cryptographic hash that 
clients can verify by calculating their own hash over the results for 
the same query.  As such, nothing is actually hidden.  1) You know the 
outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you 
know the algorithm used to generate the hash, and 4) you validate the 
DNSSEC signature.  So, what about that is hidden?

I fail to see how DNSSEC can be a covert channel, even if there is 
manipulation in what key is used.  Unless you're expiring & modifying 
the ZSK about once a second so that you can change things and try to 
hide using something like steganography.  Even then, I'm not sure how 
well that would work.

Grant. . . .
unix || die

More information about the bind-users mailing list