Data exfiltration using DNS RPZ
Grant Taylor
gtaylor at tnetconsulting.net
Sun Jun 17 17:07:49 UTC 2018
On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
> DNSSEC can be used for infiltration/tunneling (when you get data from a
> DNS servers) but there is a catch that such requests can be easily dropped.
Will you please elaborate and provide a high level overview of how
DNSSEC can be used for infiltration or tunneling?
It is my understanding that DNSSEC is just a cryptographic hash that
clients can verify by calculating their own hash over the results for
the same query. As such, nothing is actually hidden. 1) You know the
outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you
know the algorithm used to generate the hash, and 4) you validate the
DNSSEC signature. So, what about that is hidden?
I fail to see how DNSSEC can be a covert channel, even if there is
manipulation in what key is used. Unless you're expiring & modifying
the ZSK about once a second so that you can change things and try to
hide using something like steganography. Even then, I'm not sure how
well that would work.
--
Grant. . . .
unix || die
More information about the bind-users
mailing list