Re: dns outbound

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Marcus J. Ranum, sie wrote:
> Ryan Russell wrote:
> > Another claimed that one of his uses was able to
> > surf the web without having to authenticate on the
> > way out, via the DNS rule.
>
> If you have access to an external system, someplace, you can
> use DNS packets to contain IP packets, or you can set up
> an application-level proxy that tunnels over DNS packets.
> Kind of a lot of work, but a technically knowledgeable person
> behind a firewall that he/she didn't like could do it easily
> enough. This is a basic problem with firewalls: so much
> stuff can be pushed back and forth through them that they're
> very easy to tunnel through. What scares me is the (obvious)
> implication of a "firewall-aware" tunnelling trojan horse/virus
> that opens outgoing connections via HTTP or other protocols
> that firewalls typically allow.

But how far do you need to go to eliminate covert channels ?  If my
firewall checks for valid DNS structure in `DNS' packets, then what
is to stop someone tunneling data using the "variable" part of the
DNS packet, such as the IP address/domain being requested ?  Sure my
bandwidth is not as great but it could still work.  The greatest
challenge here is that you need to have some way of guaranteeing
that DNS packets will reach X but I can see how that could still
be made to work.  How about transferring a file from outside to inside
via a zone transfer (properly structured, data just isn't DNS data) ?

You're almost saying that a firewall needs to have design properties
from those A1 Orange book systems (which we all love to hate) by
being careful to eliminate leakage of information.

Just how far does the bar need to be raised when measuring a vikings'
height ? :)

Darren