FYI - IP tunnelling via DNS
Jerry Scharf
scharf at vix.com
Mon Sep 11 14:04:03 UTC 2000
I agree that traffic analysis is the right way to go. For the people using
checkpoint class boxes rather than packet filtering routers, you should be
able to pick this out reasonably quickly. You have a stream of DNS responses
with the same source and dest and all TXT records, many of the same size,
coming through. If you have some kind of rate limit trigger, you should be
able to get a filter up for DNS from source to dest within not too many
packets. In this case, it's ok to let a handlful or two packets through before
plugging the hole. I wouldn't try to get the queries at all.
Also looks like we found the "killer app" for edns0's larger packet size.
jerry
More information about the bind-workers
mailing list