FYI - IP tunnelling via DNS
Jeffrey Altman
jaltman at columbia.edu
Mon Sep 11 05:30:17 UTC 2000
> > Is this even something we can do anything about ?
>
> not as such. we can't change the protocol, and i'm not sure there's anything
> any implementation (bind or otherwise) could do to block this access. NAT
> seemed like a possibility a few seconds ago but then i realized that it's not
> using A RR's and as far as i know most DNS-aware NAT implementations pass TXT
> straight on through.
As well they should. There are legitimate uses for TXT some of which
include performing authentication of connections. (_kerberos TXT
queries.) Its bad enough that hotel data port connections filter DNS
queries which prevent authenticated access from the hotel rooms. I
would hate to see NATs to perform filtering simply based on the RR
type used. Changing the RR type used would not be all that difficult
I would imagine.
A better method would be to perform some form of data traffic
analysis. There must be a significant number of queries to a
particular DNS in order for this to be effective.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * kermit-support at kermit-project.org
More information about the bind-workers
mailing list