mailing list archives
Re: [PEN-TEST] IP Tunneling over DNS
From: Wolfgang Zenker <wolfgang () JPAVES DE>
Date: Tue, 12 Sep 2000 20:28:25 +0200
Eric Thiel wrote:
I think a lot of people are missing the real danger here.
Say I run a firewall that does not allow any traffic from SubnetA to the
internet, since there have been problems with people in the department
uploading confidential data outside the company. Before this announcement I
assumed there was no way for people to get traffic out (without ANY open
ports, no tunnels are possible). Now anyone on SubnetA that can talk to a
DNS server in SubnetB (SubnetB is allowed to pass DNS traffic to the
Internet) can create a bi-directional tunnel out to the Internet.
Furthermore, unless I have some heavy logging on the DNS server, I have no
idea who is sending all the traffic.
If your DNS server in SubnetB is a bind8, you can limit clients from
SubnetA to queries for local zones only using bind's ACL syntax.
- Re: [PEN-TEST] IP Tunneling over DNS, (continued)