FYI - IP tunnelling via DNS
Jerry Scharf
scharf at vix.com
Tue Sep 12 04:01:38 UTC 2000
Darren,
You aren't trapping on the outbound requests, you would trap on the rate limit
of TXT record responses. If you get more than say 5-10 TXT responses from the
same host to the same host in a second, you put up a say 30 minute filter than
wipes that DNS server's ability to reply with TXT records. It will have all
the desired effects with very little likelyhood of taking out legitimate
traffic. There are other ways to cut the heuristic, but something like this
would indeed work.
jerry
More information about the bind-workers
mailing list