Data exfiltration using DNS RPZ

Vadim Pavlov pvm_job at mail.ru
Sun Jun 17 17:18:52 UTC 2018


Just to be more clear. DNSSEC records can contain any content and can be used for infiltration/tunneling. 
E.g. If you request DNSKEY record (you can encode your request in fqdn) you will get it exactly "as is". Intermediate DNS servers do not validate the records.
So instead of "standard/usual" TXT records you can use DNSKEY to pass data from a DNS remote server.

Vadim
> On 17 Jun 2018, at 10:07, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> 
> On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
>> DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.
> 
> Will you please elaborate and provide a high level overview of how DNSSEC can be used for infiltration or tunneling?
> 
> It is my understanding that DNSSEC is just a cryptographic hash that clients can verify by calculating their own hash over the results for the same query.  As such, nothing is actually hidden.  1) You know the outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you know the algorithm used to generate the hash, and 4) you validate the DNSSEC signature.  So, what about that is hidden?
> 
> I fail to see how DNSSEC can be a covert channel, even if there is manipulation in what key is used.  Unless you're expiring & modifying the ZSK about once a second so that you can change things and try to hide using something like steganography.  Even then, I'm not sure how well that would work.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list