FYI - IP tunnelling via DNS

Jerry Scharf scharf at vix.com
Mon Sep 11 14:04:03 UTC 2000


I agree that traffic analysis is the right way to go. For the people using 
checkpoint class boxes rather than packet filtering routers, you should be 
able to pick this out reasonably quickly. You have a stream of DNS responses 
with the same source and dest and all TXT records, many of the same size, 
coming through. If you have some kind of rate limit trigger, you should be 
able to get a filter up for DNS from source to dest within not too many 
packets. In this case, it's ok to let a handlful or two packets through before 
plugging the hole. I wouldn't try to get the queries at all.

Also looks like we found the "killer app" for edns0's larger packet size. 

jerry





More information about the bind-workers mailing list