Firewall Wizards mailing list archives
Re: dns outbound
From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 18 May 1999 23:52:46 +1000 (EST)
In some email I received from Marcus J. Ranum, sie wrote:
Ryan Russell wrote:Another claimed that one of his uses was able to surf the web without having to authenticate on the way out, via the DNS rule.If you have access to an external system, someplace, you can use DNS packets to contain IP packets, or you can set up an application-level proxy that tunnels over DNS packets. Kind of a lot of work, but a technically knowledgeable person behind a firewall that he/she didn't like could do it easily enough. This is a basic problem with firewalls: so much stuff can be pushed back and forth through them that they're very easy to tunnel through. What scares me is the (obvious) implication of a "firewall-aware" tunnelling trojan horse/virus that opens outgoing connections via HTTP or other protocols that firewalls typically allow.
But how far do you need to go to eliminate covert channels ? If my firewall checks for valid DNS structure in `DNS' packets, then what is to stop someone tunneling data using the "variable" part of the DNS packet, such as the IP address/domain being requested ? Sure my bandwidth is not as great but it could still work. The greatest challenge here is that you need to have some way of guaranteeing that DNS packets will reach X but I can see how that could still be made to work. How about transferring a file from outside to inside via a zone transfer (properly structured, data just isn't DNS data) ? You're almost saying that a firewall needs to have design properties from those A1 Orange book systems (which we all love to hate) by being careful to eliminate leakage of information. Just how far does the bar need to be raised when measuring a vikings' height ? :) Darren
Current thread:
- Re: dns outbound, (continued)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Larry Chin (May 17)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)