Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IP Tunneling Through Nameservers

CmdrTaco posted more than 13 years ago | from the surfing-for-free dept.

The Internet 175

I'm always interested in seeing protocols extended to do silly (and in many cases, not so silly) things that they were never intended to do. I've seen DNS extended to do a lot of crazy stuff, but until today, the coolest was DNS server based MUDs. Read on to read about an IP tunnel implemented through DNS. Its crazy.FrodoID (for Skyp and FrodoID) writes "In many countries, it is possible to use the Internet completely free of charge using Microsft PPP dialin numbers. These numbers, of course, normally won't allow you to do this.

But did you know that you can build up a fullfeatured and even bidirectional IP tunnel through Nameservers? Yes, that's right: "IP-over-DNS".

Using some toll free numbers which normally only allow outgoing packets to some few chosen servers, you can now surf the internet - completely and doing everything you could do with your normal, fullfeatured internet account. Microsoft has some of those restricted, toll free numbers.

The reason is: Most of these Microsoft PPP dialins allow you to use a Nameserver. And DNS lookups are just another kind of communication between a server and a client - the client asking for information to the nameserver known to him, the server which has been asked forwards the information to another nameserver or directly to the nameserver responsible for the asked information, and the now contacted server answering through the same path back.

That still sounds very useless for tunneling, but think about encapsulating the IP packets into nameserver requests, and the answer contains the traffic of the other direction. The request would look something like a hostname lookup to "KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org" (you see, the traffic is being encoded to represent legal hostnames), the answer contains the payload in a TXT record. That way you can build a fully functional IP tunnel.

You just need a client and a fake nameserver - making up the two communication endpoints.

It was tricky - the DNS protocol seems a little bit chaotic and it only allows packets of 512 bytes - so you have to fragment. And it uses UDP and not TCP - so you have to implement some mechanisms to ensure that the fragments are reassembled correctly (you see, you basically need a protocol which reimplements some features of IP and TCP). Additionally, the client can "contact" the fake nameserver everytime it wants to send traffic out - but the server is only able to answer, never to send on it's own. So you need some polling, if you want it really bidirectional.

We called the protocol used to achieve all this the "NSTX Protocol", meaning "Nameserver Transfer Protocol". The uglyness of the DNS protocol (just look at the headers: no alignment and no padding!) and the fact that we tried to use it in a way it really never was designed for (after all, remember that DNS is more like a phonebook than a communication facility) didn't make the design and implementation of NSTX easier at all.

But finally, we've done it. And with a toll-free Microsoft PPP dialin number in Germany (which of course only allows the download of some patches etc.) it worked - surprisingly stable and not even slow.

Think about it - many companies have "closed" networks which also don't allow outbound connections, but they have a nameserver in the same network that can resolve any hostname out there. That way you could also use the tunnel to establish a bidirectional communication path between the secured network and the outside world, where it wouldn't have been possible.

For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of, just take a look at http://nstx.dereference.de where you can find the full source code. It implements a client and a fake nameserver for both tunnel endpoints of an "IP-over-DNS"-tunnel. Both use the Linux Ethertap device for giving you a tunnel network interface. The server is a fake nameserver fully compliant to the DNS specifications and the client issues the requests, also using intelligent timing mechanisms for polling queued traffic from the server.

Maybe security managers in companies should look if they have nameservers in places where they better shouldn't have.

And maybe you also like the idea of using the internet using a toll free Microsoft dialin number, completely at no charge."

cancel ×

175 comments

Sorry! There are no comments related to the filter you selected.

DNS Napster (1)

BobLenon (67838) | more than 13 years ago | (#789657)

Maybe someone outta extend this and write a napster client that'll use DNS ... so it can get around napster blocks ... tho i guess it mite be a bit slow ... and you could really only use it for getting mp3s ... it still would be awesome.

Re:Perfect timing... (1)

AndyL (89715) | more than 13 years ago | (#789658)

Because it translates websites you could tell it to translate your favorite porn site. Then you'd be able to see porn even with the porn-blocker in place.

Don't worry! (1)

Steeltoe (98226) | more than 13 years ago | (#789662)

Huh? What are you worried about? How would you get in trouble for running a piracy site that allows downloading from a server you own? If anything, people actually downloading warez and accessing the latest child-Pr0n on your server might get in trouble, but I don't see how you would.

- Steeltoe

Re:Just Like Collect Calling (1)

dr_labrat (15478) | more than 13 years ago | (#789664)

There are situations like this anywhere...

For instance Inland Revenue (UK version of IRS) billed me £2.00 I paid by cheque happily knowing that it would cost them around £100 to process it....

Big companies and organisations are dumb. Basically this is because these days the computers run the humans.

The computers says: "we are owed £0.02, collect. Expense is irrelevant"

The operator says "Hm, more than my jobsworth to refuse to do that."

Sad really.

Re:DNS Napster (2)

grahamsz (150076) | more than 13 years ago | (#789666)

Ummm you already can run napster over this. Just connect your windoze box (or vmware) to your linux box and have linux do some NAT routing over the virtual device.

Anyway why dont u just run napster on the machine that you were going to run your fake nameserver on and be done with it?

Yes (1)

dingbat_hp (98241) | more than 13 years ago | (#789667)

It's a Hack, in the classical sense. Of course it's a good thing.

Re:How about fingerd as the poor man's web server? (1)

rxmd (205533) | more than 13 years ago | (#789668)

Now that's REALLY good.

Re:More neat DNS tricks (2)

semios (146723) | more than 13 years ago | (#789670)

That one didn't work for me exactly. It needed a little something in the while loop. After I added '' it worked great... here's my rendition:

dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d

Neat way of distributing, I must say. :)

Re:More neat DNS tricks (1)

semios (146723) | more than 13 years ago | (#789671)

dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(<>){print pack("H32",$_)}' | gzip -d

And now I see why it didn't come out right... ok, this one works (the '< and >' were being interpreted as HTML tags).

Re:Just Like Collect Calling (1)

Anonymous Coward | more than 13 years ago | (#789673)

The company I work for recently started charging $0.25 for soda and juice. I laugh everytime I get one because with the fairly long walk to the machine, I get paid about $4.00 to get myself a refreshment. And now I have to go six times as often since I can't conveniently grab a six pack anymore. You gotta love people for the same reason you gotta love fish. Because they're stupid.

Should be fixable... (1)

plastik55 (218435) | more than 13 years ago | (#789674)

Now, this is truly a "moby hack" and I'm very impressed. It strikes me that Microsoft (or whoever is providing the telephone line) could simply filter out DNS requests that aren't trying to find one of their servers.

"they beam this information everywhere, all through the fucking air. You just gotta know how to grab it. Just got to know how to grab it." --Heat

Re:Just so that everyone knows, this may be for re (3)

jesser (77961) | more than 13 years ago | (#789675)

Wonder what wonders they'll come up with next.

A slashdot semi-hidden-sid [slashdot.org] tunnel! It could easily be anonymous, and it could be encrypted too -- pretty neat, huh? The only problem is that you could only send one message every 70 seconds. But if you had a class C if IP addresses available you might be able to post faster.

--

Re:This is ridiculous! (2)

jesser (77961) | more than 13 years ago | (#789676)

So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.

Well, it could be useful while travelling if you have a high-bandwidth computer at home. And anyway, who wouldn't give up 97% of their bandwidth just to use up Microsoft's resources?

--

cool hack but... (1)

mudpup (14555) | more than 13 years ago | (#789677)

This sounds like a cool hack but
If you dial in from here in the united states the number the call was placed from will be loged.
Some fool will be dialing in from home, and the next thing that happens will be the man knocken on the door

Re:Nice backdoor, but how is that free? (1)

SEWilco (27983) | more than 13 years ago | (#789678)

Maybe Microsoft can bill the DNS server for the service.

Re:Just so that everyone knows, this may be for re (3)

Orgasmatron (8103) | more than 13 years ago | (#789679)

You may have missed the Pigeon Tunnel as shown in RFC 2549.

Link Here. [isi.edu]

Re:The bigger questions... (2)

mosch (204) | more than 13 years ago | (#789683)

  • mainstream: not particularly
  • because we can: mostly
  • slashdot material: definitely.
  • meaningful project: yes, there are lots of meaningful projects. Perhaps you should work on one now, rather than post to the timesuck which is /.
  • enlightenment on a palm iii: I'd love to see this, mostly for the hardware hacks which would have to be accomplished first.

If you've never wasted time on a technical project solely because you wanted to see if you could do it, then you probably aren't that good of a geek anyway. I think most geeks have done some ludicrously unproductive things solely as mental exercises or even just as jokes. Who cares? If you want them to be productive then start a company and hire them. Until then, no, you're not their manager.
----------------------------

Re:Practical uses for tunnels (1)

QuMa (19440) | more than 13 years ago | (#789685)

search for http tunnel on freshmeat, can't be to hard...

Re:Practical uses for tunnels (1)

QuMa (19440) | more than 13 years ago | (#789687)

s/to/too/

Re:The bigger questions... (1)

Porag_Spliffing (66509) | more than 13 years ago | (#789690)

You ask
is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.

That sounds just like Linux so of course it's a slashdot story ;-)

Re:Nice backdoor, but how is that free? (1)

Garpenlov (34711) | more than 13 years ago | (#789693)

It's free because the person doing it doesn't have to pay for it. Someone will have to pay for it, but as long as it's not us, who cares?! We all deserve free internet access, especially at the expense of Microsoft. It's perfect! <sarcasm off>

I pee over everything (1)

Skynet (37427) | more than 13 years ago | (#789697)

Remember those tee shirts that said "IP over everything!" Those rocked. Anyone know where I can get one now?


Whoa! (2)

dorzak (142233) | more than 13 years ago | (#789699)

That may explaine some recent things I have heard of. I know of at least 3 networks who have seen higher than normal loads on their DNS servers.

It may not be up to playing quake but for playing a MUD, or getting e-mail it would be great.

So where is the link... (1)

Demona (7994) | more than 13 years ago | (#789701)

...for those DNS-based MUDs?

- Ololiuhqui

redheaded giant

Just Like Collect Calling (5)

hanway (28844) | more than 13 years ago | (#789702)

Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".

Re:Perfect timing... (2)

Captain Derivative (182945) | more than 13 years ago | (#789703)

What the f[s]ck is pornographic about foreign language translations?!!??!

I believe the reasoning is that you could use the "Translate Web Page" option on BabelFish [altavista.com] to translate a porno site's page. Then, since the URL of the page you load comes from babelfish.altavista.com and not blockedpornsite.com, it gets past the filter proxy. What you get back is a page with a bunch of porno pics and some translated text, without setting off the filter proxy.

So, I'm sure that's the suits' reasoning behind it. Of course, it's completely stupid, since there is a huge legitimate use for BabelFish (actually translating pages or text!). I don't agree with this decision at all, but I'm 99% sure it's why they chose to do so.

BTW, good luck trying to convince them to remove CyberPatrol or, even better, get CyberPatrol to deblacklist BabelFish. But just think of all the warm fuzzies you'll have knowing that your inability to translate foreign languages is Protecting The Children (TM).


--

Practical uses for tunnels (2)

micahjd (54824) | more than 13 years ago | (#789704)

This DNS tunnel is neat, especially since I have always been a fan for HTTP tunnels. The only reason to build a tunnel is to circumvent security. But one must remember the hacker ethic:

It's ok to get around a little security in order to get more work done

One great example of this is in a paranoid school or company that firewalls outgoing traffic. They allow telnet, but not SSH. My home machine only accepts SSH. (for obvious reasons) A little tunneling, and presto, I can secure shell to my home computer.

Especially nifty is using http tunnel to establish a secure shell then using the secure shell to tunnel other protocols with encryption

TCP to UDP through DNS? (2)

CynTHESis (196082) | more than 13 years ago | (#789705)

Couldn't you hack out a pseudo-driver to pull tcp emulation over the udp connection , i.e. encapsulating the pseudo-driver's tcp request and shooting it through the program sending the udp datagrams and providing some error control. Then just make sure that both sides have regular querying so it goes both way's? That way almost all programs out there could use it, albiet slow and you may have to play around with some timeout values but it should work. Maybe call it the fums0 pseudo device?

Re:Perfect timing... (3)

Thing 1 (178996) | more than 13 years ago | (#789706)

pb said: Babelfish is a proxy; you can use it to load blocked sites by having altavista do the heavy lifting.

Oh. Thanks, hadn't thought of it like that.

Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.

The point of having Internet access shouldn't be what not to use. I don't use my work phone to call 900 numbers; I don't need to be told not to.

If an employee is wasting company time looking at porn, blocking his access isn't going to improve his performance. You have an individual problem -- a problem that his manager should have the balls and training to deal with.

When management gets weak, they start putting the thumbscrews to the employees.

"Praise in public, punish in private." Words to live by. Also "Don't punish the group." Break either of those rules and you're not a good manager.



OK, I'm done bitching but typing the above has given my brain time to react. So here's my idea: Babelfish should have a "http://babelfish.altavista.com/cyberpatrol" area (and ".../netnanny", etc.), which has that software's settings in it. Then companies could open their firewall to that subtree of BabelFish, so their employees could translate without masturbating.

Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.

You have to turn political to get anything done.

--

Re:Perfect timing... (1)

xinit (6477) | more than 13 years ago | (#789707)

Apparently the number six translates into a questionable word in some languages. I must be protected from offensve numbers as a voter.

Latency Can't Be as bad as this, WAS: Nice Backdoo (1)

fwc (168330) | more than 13 years ago | (#789727)

Nah, the very definition of bad latency is the transmission of IP as defined in rfc1149 [isi.edu] , and with guaranteed "Quality" of Service as defined in rfc2549 [isi.edu] .

Other interesting concepts in IP transport can be found in RFC's 1216 [isi.edu] , 1217 [isi.edu] , 1926 [isi.edu] , and others.

Unfortunately, this seems like (almost) as bad of an idea - and it seems like this might just be for real.

Re:Perfect timing... (2)

pb (1020) | more than 13 years ago | (#789728)

Hey, I completely agree; the same arguments apply in the home, too. (manager->parent; employee->child)

There are a couple of other solutions, too. If you actually filter incoming *content*, then you can block what actually gets to the user; this could be done by having a proxy/firewall for the business, and only allowing web access to that. (unless you implement, say, a DNS/HTTP tunnel, or something equally ludicrous. ;)

The problem with that is, content filtering doesn't work very well. Often, people can't correctly identify or distinguish offensive material from art or literature, or have differing opinions, ("Huckleberry Finn", for example; I say it is literature, and relatively accurate period historical fiction; other people obviously don't know enough about the period...) so you really can't expect a computerized regexp parser to be even *that* good. ...and when it comes to analyzing, identifying and parsing images, well, a 5-year-old does a better job of that, still.

Therefore, we've already shown that filtering by URL often doesn't work, and accurate content filtering is pretty much impossible with today's technology, so it's gonna be unfair, and it's not the answer.

However, I believe you can buy software like babelfish from SYSTRAN [systransoft.com] , so suggest that to your boss instead. Heck, it'd probably be quicker to do it locally, and more full-featured as well.
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu] .

Re:Just so that everyone knows, this may be for re (1)

Gurlia (110988) | more than 13 years ago | (#789729)

How 'bout an ICMP tunnel?

Spoof the source address of an outgoing ICMP packet, so that the firewall sends the reply to an external host, which then interprets the ICMP packet, and sends the reply in the same way. I know this wouldn't quite work as is, but with some effort, I'm sure somebody can find a feasible way to do it....

Just imagine... a sequence of ACK and NAK packets representing the bitstream of an incoming file from a blocked external host... Mmmmmm :-)
---

Flow control (2)

mindstrm (20013) | more than 13 years ago | (#789730)

Actually, adding your own sequencing should not be necessary, as mentioned here. You do not need to guarantee delivery; tcp will take care of that.
All you need is a somewhat reliable packet delivery system.

Re:Just Like Collect Calling (1)

whatnotever (116284) | more than 13 years ago | (#789731)

Beautiful...

"AtSchool PickMeUp"

I love it...

Re:This is ridiculous! (2)

Spyky (58290) | more than 13 years ago | (#789732)

Well, if someone sets up a DNS server somewhere with a static IP and runs this NSTX protocol on it, and gives out its IP, then anyone an access the internet through PPP dialups anywhere. No one said the server running the tunnelling protocol has to be YOUR server.

Spyky

The bigger questions... (3)

apk (120253) | more than 13 years ago | (#789733)

Egads. This story really raises many questions for me.

  • Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?
  • Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.
  • Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this? Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
  • Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel, and absurd as "Enlightenment on a Palm III!"
Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities. But dammit, folks, sometimes you ought to ask yourselves "Should I spend my energies and time on this?" before too quickly (and I realize we're all guilty of this at times) diving into the Sea Of Details known as how.


Andy

More neat DNS tricks (1)

MoOsEb0y (2177) | more than 13 years ago | (#789748)

try running this:
dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d
Enjoy css_descramble.c :)

Babelfish does NOT proxy graphical porn (3)

elgardo (117823) | more than 13 years ago | (#789749)

Far from it, hun. Babelfish only translates the text. It does not translate the IMG tags other than to modify the source, so that the source still comes from the original site. Try to translate a porn site and "view image" on any of the graphics. Look at the URL for the graphic.

So while your pornographic novel might be translated to French for you, the actual image is blocked by your local Net Nanny.

I think the REAL reason Babelfish is blocked, is because it allows you to read all the foreign "dangerous opinions" that you're not supposed to know about. I mean... what would Americans do if they found out that Europeans have more vacation time than they do?

This is actually useful (4)

crisco (4669) | more than 13 years ago | (#789750)

There are quite a few countries (mostly in the Middle East) where most or all of the internet traffic runs through the government's censor/monitor servers that make CyberPatrol look like freedom. And when they come knocking on your door cause they don't like what you are posting they don't file injunctions, they execute you.

Take a look at this page [ijs.co.nz] . You'll see what has to be done to get a secure and free internet connection. Now imagine adding this DNS hack to the arsenel. Until the shortminded people monitoring you catch on, you don't have to worry about losing the open port you've been using and can spend more time covering your tracks and communicating your ideas to the free world (or downloading hot Arabian pr0n).

So it does have a use. And it is a nift hack.

Re:Perfect timing... (1)

Pfhor (40220) | more than 13 years ago | (#789751)

if you really want, i guess you can setup a cache box at home, to load babelfish the same way it loads foreign pages, so you can then have it load porn err i mean translations for you.

Re:Damn! What a cool hack! (1)

jareds (100340) | more than 13 years ago | (#789752)

I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?

Huh? What are you worried about? How would you get in trouble for running a DNS that allows tunneling on a server you own? If anything, people actually calling Microsoft PPP lines and accessing the Internet through your server might get in trouble, but I don't see how you would.

Firewalls (2)

Chris L. Mason (3425) | more than 13 years ago | (#789753)


Forget about free dial-up access, this has other wonderful uses, such as bypassing corporate firewalls.

If you're on an internal network, no matter how protected it may be by firewalls, routers, etc., as long as you can make DNS queries to public systems, you can tunnel out. Combine this with ssh and you've got yet another way for internal data to untraceable escape your network.

I can imagine lots of network managers getting a headache after reading this and rushing to review their firewall rules.

The next step would be to see how this might work through an intermediary DNS server in cases where you can only access an internal name server which is the only system allowed to query external nameservers. Might need a ttl of 0 though, don't know if that would be respected.

Re:what will they think of next?--over saltwater (1)

banjo D (212277) | more than 13 years ago | (#789754)

How about this one, . read your email from a submarine [military.com] . The link that led me to that one (which I've now lost) I think called it PPPoH2O.

Re:Just Like Collect Calling (3)

linuxonceleron (87032) | more than 13 years ago | (#789755)

Heh, so long as you don't get a real operator you're safe...

Operator: What Number?
Me: *plays dumb and keys in the number*
Operator: You have to say it hun...
Me: six one oh ...
Operator: Your Name?
Me: Come Pick Me Up
Operator: No, I want your real name..
Me(asian voice): Cum PackMup!
Operator: no no no, I want your *real* name!
Me: Cum PackMup, me no understandy
*click*

Re:Practical uses for tunnels (2)

orabidoo (9806) | more than 13 years ago | (#789756)

why don't you just run a ssh daemon on your home machine, on a port that they do allow, like the telnet or http one?

I really don't think they can get to you... (1)

CptnHarlock (136449) | more than 13 years ago | (#789757)


I haven't seen any "user licenses" for DNS servers stating that you may not tunel traffic through them.. At the most they might block your IP# or network, but that should be about it..

--
"No se rinde el gallo rojo, sólo cuando ya está muerto."

Re:Perfect timing... (1)

mike_g (24445) | more than 13 years ago | (#789758)

Yes, the url of the page comes from babelfish, which should get past the proxy. But the images themselves come directly from the blockedpornsite.com and won't make it past the filter.

Re:Firewalls (1)

jareds (100340) | more than 13 years ago | (#789759)

The next step would be to see how this might work through an intermediary DNS server in cases where you can only access an internal name server which is the only system allowed to query external nameservers. Might need a ttl of 0 though, don't know if that would be respected.

Um... I think an itermediary DNS server is how it's intended to be used. After all, if you're able to connect to port 53 of arbitrary servers, you can just use a regular IP tunnel through that port.

Re:Practical uses for tunnels (1)

qnonsense (12235) | more than 13 years ago | (#789760)

Do you have a link to HTTP tunneling software?

Hmm... (1)

meaple (188347) | more than 13 years ago | (#789761)

Well you can now freely look at Natty pr0n and not get caught? Is that what youre telling me here?

Everyone loves a free ride (1)

jjr (6873) | more than 13 years ago | (#789767)

These did not only to get a free ride. Also there is the hack value of this. Next I would like to see IP over FTP.

Re:cool hack but... (1)

Chas (5144) | more than 13 years ago | (#789768)

That's the point though. You don't use this at home. You use it as a "free" roaming dialin.

Using this from home is almost like cracking bank computer systems from your house.


Chas - The one, the only.
THANK GOD!!!

Re:Nice backdoor, but how is that free? (1)

hayden (9724) | more than 13 years ago | (#789769)

You crack some elses machine, install it on there.

I'm sure there are thousands of clueless linux users out there who have the requirements for a suitable host,
1) fast, always on internet access
2) rant about how secure linux is and have a box an eight year old could get root on

btw I like linux, but for security, go openBSD.

another option (1)

Symbiosis (39537) | more than 13 years ago | (#789770)

Tell your boss, since the filtering software blocks a once-useful productivity tool, he/she needs to spend a small fortune in translation software to enable you and your co-workers to do their jobs. Perhaps the prospect of having to actually spend some money may make them reconsider such strict blocking policies. :-)

Re:The bigger questions... (1)

ajf (7321) | more than 13 years ago | (#789771)

Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?

I'd say it's the latter. It might be useful for getting around an unfairly restrictive firewall, but you'd have to be desperate.

Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever), nearly useless end product with an extremely limited audience that might use it.

It's absolutely slashdot material! It fits perfectly under that whole "news for nerds" thing.

Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this? Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?

Well, that is a huge topic - this is a "because it was there" effort, I'm sure, so it's more a question of what the developers find interesting than not being aware of anything better to do...

Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel, and absurd as "Enlightenment on a Palm III!"

Bah! Enlightenment is nothing but eyecandy; I doubt its users could deal with the strict, bare functionality approach of the Palm GUI.

hidden sid (1)

xjesus (231140) | more than 13 years ago | (#789772)

Neat! Seems like anyone could keep their own current discussion on /. using this. just set the sid= to whatever you want and tell your friends to go there. There's even a current void of random posts on the plain comments.pl
Maybe someone will have a L337 Haxxor warez list/post using a hidden slashdot sid... lol

Re:The bigger questions... (1)

apk (120253) | more than 13 years ago | (#789773)

I never said it wasn't interesting.
I never said it didn't have a hack value.
I never said it wasn't cool.

I said that there are cool, interesting, major-hack-value things one can work on that would be much more useful and usable by many more people. My goal wasn't to rain on their parade -- obviously, and to their credit, they successfully tackled some challenging issues -- but to let others realize that there are bigger, better parades to march in.

Each of us has the power of choice. Which parade(s) do you choose? And just as important, Why?

Andy

Microsoft security policies (2)

Shoeboy (16224) | more than 13 years ago | (#789774)

Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
Microsoft's an odd choice for that example. They're actually one of the more enlightened employers out there.
Microsoft only screws its customers, it treats employees quite well.
Pity the 3 main campuses are in the middle of nowhere.
--Shoeboy

Ok, now... (1)

pen (7191) | more than 13 years ago | (#789775)

The real cool hack would be to then do DNS over that TCP layer, and then do TCP over that again.

--

Theft of service (1)

Null_Packet (15946) | more than 13 years ago | (#789776)

Hey people, this is still FRAUD if you're using a number of a service for which you don't have an account. Even if it can be devised technically, it doesn't make it legal or ethical.
Beware of the 'Just because I can'.

That's actually *usefull* (1)

msergeo (230476) | more than 13 years ago | (#789777)

I see that many people start talking about corporate firwalls... I have a great firewall: US. I'm travelling there and I can not find suitable FREE ISP access. This hack might change it :]

finally some free stuff from micro$oft (4)

Jrod5000 at RPI (229934) | more than 13 years ago | (#789778)

mmm free internet access from microsoft... guess we don't need MSN anymore :) i wonder when people will start distributing this hack by mass-mailing CDs to every home in the country.

Re:So where is the link... (3)

JArneaud (25121) | more than 13 years ago | (#789779)

Well, lemme try this karma-whoring thing out for a change (grin).

Link one: http://www.kanga.nu/arch ives/MUD-Dev-L/1998Q4/msg00164.php [kanga.nu]

Link two: http://www.samurai.com/list s/bryans-list-1998/0398.html [samurai.com]

I haven't tried it because I'm stuck on a windows box without a decent nslookup but it looks simple enough.

Good job (1)

xercist (161422) | more than 13 years ago | (#789780)

Congratulations, guys, I always appreciate a good hack, and making an IP tunnel over dns is something I'd never even have thought of. Keep up the good work.

--

Just so that everyone knows, this may be for real. (5)

Svartalf (2997) | more than 13 years ago | (#789783)

There was this little item in Bugtraq that I stumbled across while trying to hit thier site (doing a Google search for "DNS tunnel")- seems someone previously did a demo of this exploit with the intents of putting in Phrack, deciding to put it up in Bugtraq instead.

Look here [neohapsis.com] for the info in question.

Letsee now...

HTTP Tunnel.
Mail Tunnel.
Now, DNS Tunnel.

Wonder what wonders they'll come up with next.

Re:finally some free stuff from micro$oft (1)

Aerolith_alpha (85503) | more than 13 years ago | (#789785)

isn't that kinda expensive? I had to do a direct mail piece for a company i worked for, and having large quantities of CD's presses is not a cheap as you might think :(


mov ah, 0
mov al, 13h
int 10h

All at the expence of Microsoft (1)

jasamaman (221350) | more than 13 years ago | (#789787)

I'd may for microsoft for suffer, but I guess now, I don't have to.

Re:Just Like Collect Calling (1)

DavidTC (10147) | more than 13 years ago | (#789791)

Yeah, but the great thing is, having an operator listen and decline fake names costs more then just letting then go though. Letting them go though costs the phone company like 1 cent, whereas they have to pay an operator a bit more then that, even for 10 seconds. :)

-David T. C.

Re:The bigger questions... (1)

demon (1039) | more than 13 years ago | (#789792)

Yeah yeah yeah. There are better things these people could spend their time on, I suppose. But this is really interesting (making things do stuff they weren't intended for), and has major hack value. Also, it's just plain damned cool. We _are_ hackers, after all. May as well do interesting stuff.

And if you don't want to hear about stuff like this... well, you DID choose to read it, now didn't you?
_____

How about fingerd as the poor man's web server?! (5)

SlushDot (182874) | more than 13 years ago | (#789793)

In the early days of the web, our local paranoid sysadmin said "no, absolutely not" to running a web server (then, NCSA, well before apache). And official policy was that we (the users) not run it either on non-priveleged ports. Anonymous ftp was also banned. Our sysadmin was a true BOFH. However! The system *did* support finger. So I thought to put one and only one HTML page into my .plan file. And access it with a funky URL:

http://hostname.tld:79/\ userid

Note the space preceeding the userid.

Totally wrong protocol to send to finger yet it worked. The HTTP protocol sends a "GET / userid HTTP/1.0" to the finger daemon. Luckily fingerd supports multiple userid lookups at the same time. Naturally 'GET' and '/' and 'HTTP/1.0'resolve to invalid users, but userid retrieves the .plan file!

Since HTTP ignores stuff preceding the <HTML> tag, my web page rendered correctly! From a system where such things were prohibited! Woo hoo! In your face Woods (the sysadmin back then)! Of course, few people cared back then as the web was a whacked far out academic project. Gopher was the big thing back then. Blargh.

Re:Dammit! (1)

Jrod5000 at RPI (229934) | more than 13 years ago | (#789794)

right...

Re:finally some free stuff from micro$oft (1)

divec (48748) | more than 13 years ago | (#789795)

> mov ah, 0

> mov al, 13h

> int 10h

Checkmate.

WOW! Companies dont usually LOG DNS queries... :) (2)

Cybersonic (7113) | more than 13 years ago | (#789796)

This opens up a LOT of posibilities... Most companies do not log DNS queries, at all... NSTX along with SSH are almost a guarenteed way to hide traffic going in and out of a firewall in most companies...

Also, as far as i know, most firewalls that implement stateful inspection, do not support statefully inspecting DNS queries... (im going to have some fun with this little program ;) yyesss!

Re:I really don't think they can get to you... (1)

pacc (163090) | more than 13 years ago | (#789797)

Well, they wouldn't block your phone.
But your fake DNS server would go down with anything else on that server - IP's don't respond well to abuse right?

Re:Microsoft security policies (1)

lisa (19611) | more than 13 years ago | (#789798)


Are you implying Microsoft allows its employees to 'masturbate while translating' at will?
Crazy, whacky microsoft people. They let those guys get away with anything.
What will they think of next?

Lisa

Re:Flow control (1)

xhypertensionx (229085) | more than 13 years ago | (#789799)

Its not using TCP, its using UDP. TCP is what makes the delivery reliable (its connection-oriented). UDP is connection-less and therefore not as reliable, which is why you need your own sequencing. Sorry to rebut you. No offense

Re:The bigger questions... (1)

Fred Ferrigno (122319) | more than 13 years ago | (#789800)

Well, that is a huge topic - this is a "because it was there" effort, I'm sure, so it's more a question of what the developers find interesting than not being aware of anything better to do...

I think the guy's point is that there's a lot of other stuff that can be done "because it was there," and some stuff that's more important and more interesting while retaining the same hack value. I don't know what those things are, as most things that have hack value and broad impact are usually done really quickly, often by large corporations.

--

If memory serves, this was in Phrack at one point. (2)

Svartalf (2997) | more than 13 years ago | (#789801)

I think I've seen this mentioned somewhere in Phrack while I was doing searches on something else. Nobody, however, has bothered to "officially" implement this sort of tunnel (but with Ethertaps and PPP tunneling, I'm surprised that someone hasn't...)

Re:The bigger questions... (2)

Admiral Burrito (11807) | more than 13 years ago | (#789802)

Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I can" exercise?

This could be used by people trapped behind the Great Firewall of China to access "subversive" material.

Re:Should be fixable... (1)

ghoti (60903) | more than 13 years ago | (#789803)

That's what I thought, too. Or they could simply block DNS requests to any machine other than their own DNSs. That should be possible with a bunch of firewall rules.

Well I've got one too (2)

The OPTiCIAN (8190) | more than 13 years ago | (#789804)

I've posted it once before on slashdot, but what the hell.

The Email Bounce File System (EBFS)

It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.

Somebody once mentioned to me that this wouldn't work on some systems, that mail gets cached somewheree on the way, but the point is, it's not on my hardware, so why should I care?
Right?

Right?


Not really an issue for proxy based ones (2)

TheLink (130905) | more than 13 years ago | (#789805)

If I really wanted to, I could just stop allowing dns queries for external hosts. Then internal users can only query for internal hosts, e.g. xxx.mydomain.com

It won't break anything. Things will still work - http, ftp, smtp. Because they are all via proxies. The proxies do the work.

Right now I just allow it for convenience.

The viable way to tunnel through this is via http or ftp, however if username-password authentication is required (like it is here), such abuse is unlikely.

In fact with the username-password system, you don't really need to bother filtering out sites, you just warn the relevant users if they're going too far - e.g. if warez/mp3 sites keep popping up in the logs and the pipe is congested, and the bosses start to notice and ask questions...

Cheerio,
Link.

This is ridiculous! (3)

Darkforge (28199) | more than 13 years ago | (#789806)

You have to run this software as a nameserver. A fake nameserver, granted, but a nameserver nonetheless. To do this, you have to have a working bidirectional TCP/IP connection.

So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.

I guess this is cool just for the sheer niftiness of running data through DNS; I'm sure this will soon be implemented as yet another steganographic protocol, but this isn't too useful, even for ripping off Microsoft.

Not quite free, but can be "free" access anywhere (3)

The Rizz (1319) | more than 13 years ago | (#789807)

but the operators of this fake nameserver would completely saturate a T1 with only 46 simultaneous 33.6 connections.

But it would be useful if you had one of these set up, since then you could use it for your own "free internet access" in other cities if you travelled a lot.

Also, there is another useful application of this: If you set up the target location of one of these in another country, one that doesn't cooperate with foreign authorities in tracking people down, you could have a way to communicate with the rest of the world in an (almost) untracable way.

For example, Mr. A and Mr. B are planning a revolution in a totalitarian state. It's too dangerous for them to use standard internet access, since it can be traced right back to them.
Instead, they get one of these DNS tunnels set up in some country that has no ties (or, even better, animosity) with their current country.
Then Mr. A and Mr. B can call up toll free numbers in various countries and transfer email back and forth in untracable ways to organize the revolution.

Damn! What a cool hack! (4)

Archeopteryx (4648) | more than 13 years ago | (#789808)

I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?

Don't get me wrong, I am all for maximizing the available anonymity of the net, but we really need a hack that has the same effect, but which uses a standard server.

All in all, I'll buy the person who though of this a beer any time he or she is in town...

Geeze... (2)

plastik55 (218435) | more than 13 years ago | (#789809)

So how long until some maker of domain servers sends them a cease-and-desist letter?

Sometimes the current legal climate, re DeCSS, the CueCat, et al, makes me wish all the good hackers knew how to stay underground instead of posting websites everywhere saying "700k 4t m3! 1 m4d3 4n 0p3n 50urc3 h4xxx0r!!!" It's the kind of thing that causes bad laws to be passed.

(before you flame, realize my tounge is planted halfway in cheek....)

Re:So where is the link... (1)

Demona (7994) | more than 13 years ago | (#789810)

No karma for you, at least from me, but thanks for the links. I'm a sucker for the creative misuse of technology [cca.org] ; combine it with a good MUD or FPS (or even a lame proof of concept :) and I'm on it like a corn dog on a stick.

Re:finally some free stuff from micro$oft (2)

Jrod5000 at RPI (229934) | more than 13 years ago | (#789811)

you're right; i was only kidding, so what we need here is a hack that somehow bills the cost of pressing and mailing to microsoft...

Re:So basically....you're wrong (3)

pabstblueribbon (219033) | more than 13 years ago | (#789815)

This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have. Your whole spiel about being legitimate is a good point, BUT, whats the point of being legitimate if the "legitimate" people are creating crap.
I for one applaud all sorts of cracking and abuse on the internet because it only leads to a better stronger entity. The more people go about messing with everyone elses equipment/software the more those people will improve on their goods. Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.

My piece is said.

Re:The bigger questions... (1)

SpamapS (70953) | more than 13 years ago | (#789818)

Yes, we're all a bunch of geeks with way too much time on our hands. That said, this has a use, just like http tunneling. Its just another way to get around controls. *And* it is a whiz-bang cool use for existing protocols. Thats what real *hackers* do... not crackers, hackers.

Re:Just Like Collect Calling (2)

jesser (77961) | more than 13 years ago | (#789820)

Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".

A similar scheme: several websites (such as webwirelessnow.com [webwirelessnow.com] ) are offering interesting free services for cell phone users who can recieve text messages for free.

First, the user signs up on the website and gives their phone number, what types of news they're interested in, what stocks they want to keep track of, etc. Then whenever they want updated information, they call a phone number belonging to the company and hang up immediately after the first ring. This is enough time for the internet company to determine the phone number of the caller, and within a minute the cell phone user recieves a text message with the desired information.

--

Re:Not quite free, but can be "free" access anywhe (1)

The Rizz (1319) | more than 13 years ago | (#789823)

Which is great because toll free numbers have no calling records.. mwuahahaha. No.

Which is why I said to use (toll free) long distance numbers into other countries - preferrably ones without good ties to your curent one. (You really think the US would help Iraq hunt down dissidents?)

Also, you're forgetting one VERY important principal: public telephones - plug into a public telephone and dial in with that. Plenty of waiting rooms have phone jacks, and there are still some handset-->modem devices available out there to make use of.

If you're smart about it, you can be untracable via public telephone systems, and even private ones. You don't need to stay on long if you just grab email through it.

Re:Practical uses for tunnels (2)

ry4an (1568) | more than 13 years ago | (#789824)

Or because some corporate firewalls verrify that that traffic is really HTTP, not just check the port number.
--

Re:TCP to UDP through DNS? (2)

ry4an (1568) | more than 13 years ago | (#789825)

If you read the article that's what he did. They emulated the guaranteed delivery of TCP on top of the fire-and-forget connection that was provided by the DNS conduit.
--

AARRGH!! (2)

Shoeboy (16224) | more than 13 years ago | (#789827)

Once, while visiting the mens room on the second floor of building 11, I noticed a spent packet of lubricating jelly left behind by a previous inhabitant of the stall.
I'm not sure if there was any translation going on, but it seems plausible.
--Shoeboy

Re:The bigger questions... (2)

G27 Radio (78394) | more than 13 years ago | (#789828)

At the very least this is another "proof of concept." Encapsulating traffic in unexpected places (HTTP, DNS, or even ICMP traffic) is neat stuff. It's also important from a security standpoint. Many firewalls pass DNS traffic unrestricted through UDP port 53 (DNS.) If you manage a network where users might be able to do this, then this kind of information is good stuff to know.

BTW, one of the reasons Slashdot is as popular as it is is because they know which articles are most interesting to the bulk of their readers--why do people still keep second guessing them?

numb

Re:finally some free stuff from micro$oft (1)

OTri (205553) | more than 13 years ago | (#789829)

Initializes VGA mode 13h. 320x200x256colors. woo hoo! :)

It's a VGA BIOS interrupt call.

Re:Perfect timing... (1)

pb (1020) | more than 13 years ago | (#789830)

Babelfish is a proxy; you can use it to load blocked sites by having altavista do the heavy lifting.

See if they block the zippy filter, too... :)
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu] .

what will they think of next? (1)

aozilla (133143) | more than 13 years ago | (#789831)

IP over airplane banners... Read slashdot while you're sequestered in the CBS Big Brother house.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>