Dnstunnel Presentation

Tunnel IP trac through DNS, to bypass captive portals(or rewalls)
Stratos Psomadakis psomas@ece.ntua.gr
Free Open Source Software Community National Technical University of Athens
April 13, 2011
Stratos Psomadakis (foss@ntua)
Bypassing captive portals with tunneling Part 1
April 13, 2011
1 / 21
Outline
. 1 DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling DNS Tunneling Basics Limitations Implementations! iodine
. 2
Captive Portals Captive Protals Basics Bypassing Captive Portals Countermeasures for DNS tunneling Summary Conclusion Questions
. 3
April 13, 2011
2 / 21
DNS Tunneling Basics

.
The idea: Can we enscapulate IP trac in DNS trac?
April 13, 2011
3 / 21

.
The idea: Can we enscapulate IP trac in DNS trac? Of course! :)
April 13, 2011
3 / 21

.
The idea: Can we enscapulate IP trac in DNS trac? Of course! :) We use DNS records(NULL/TXT/SRV/MX/CNAME) to enscapulate (downstream) IP trac. Upstream trac is enscapulated in the DNS requests issued on the client side.
April 13, 2011
3 / 21

.
The idea: Can we enscapulate IP trac in DNS trac? Of course! :) We use DNS records(NULL/TXT/SRV/MX/CNAME) to enscapulate (downstream) IP trac. Upstream trac is enscapulated in the DNS requests issued on the client side. The trick is to make DNS lookup requests to a zone controlled by us, which runs a fake DNS server. The server will read our specially crafted requests, and answer with a DNS record which contains the data we requested.
April 13, 2011
3 / 21
Outline
. 2
. 3
April 13, 2011
4 / 21
DNS Tunneling Limitations

.
Upstream trac must be base32 encoded.
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes > Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth).
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes > Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). DNS only allows packets of 512 bytes
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes > Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). DNS only allows packets of 512 bytes > Downstream trac must be fragmented too.
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes > Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). DNS only allows packets of 512 bytes > Downstream trac must be fragmented too. Depending on the record used to send the reply, downstream trac may have to be encoded(ie base64 for TXT records). NULL records(deprecated) can provide better performance since theres no need for the data to be encoded.
April 13, 2011
5 / 21

.
Upstream trac must be base32 encoded. 255 char max length to DNS hostnames > Upstream trac can only use up to 255 - [strlen(ourdomain)] bytes > Requests from the client must be fragmented and then sent as seperate DNS queries (gzipping the data before encoding can improve upstream bandwidth). DNS only allows packets of 512 bytes > Downstream trac must be fragmented too. Depending on the record used to send the reply, downstream trac may have to be encoded(ie base64 for TXT records). NULL records(deprecated) can provide better performance since theres no need for the data to be encoded. DNS uses UDP instead of TCP and thus fragmentation and correct reassembling of the packets must be implemented in the fake server.
April 13, 2011
5 / 21
Outline
. 2
. 3
April 13, 2011
6 / 21
DNS Tunneling Implementations

.
NTSX(Namesever Transfer Protocol): the rst implementation of DNS tunneling, deprecated
April 13, 2011
7 / 21

.
NTSX(Namesever Transfer Protocol): the rst implementation of DNS tunneling, deprecated OzymanDNS by Dan Kaminsky: Perl scripts, not very stable, easy to set up and run
April 13, 2011
7 / 21

.
NTSX(Namesever Transfer Protocol): the rst implementation of DNS tunneling, deprecated OzymanDNS by Dan Kaminsky: Perl scripts, not very stable, easy to set up and run iodine(IP over DNS): the most recent implementation of DNS tunneling, with lots of optimizations and improvements, including autodetecting optimal values for various paramters. (the chemical element iodine has atomic number 53, the same as the DNS default port :P)
April 13, 2011
7 / 21

.
NTSX(Namesever Transfer Protocol): the rst implementation of DNS tunneling, deprecated OzymanDNS by Dan Kaminsky: Perl scripts, not very stable, easy to set up and run iodine(IP over DNS): the most recent implementation of DNS tunneling, with lots of optimizations and improvements, including autodetecting optimal values for various paramters. (the chemical element iodine has atomic number 53, the same as the DNS default port :P) And one note about security: OzymanDNS scripts provided no auth mechanisms, and thus if someone found out the fake subdomain, he could send arbitrary commands/data to the fake DNS server(that doesnt sound good :P) iodine has a very simple password auth mechanism which at least prevents such scenarios.
April 13, 2011
7 / 21
Outline
. 2
. 3
April 13, 2011
8 / 21
Setting Up iodine
.
The plan: well run iodine on animal.foss.ntua.gr Well set up a new zone, .iodine.foss.ntua.gr, and delegate all requests to that zone, to the server running iodine(animal).
April 13, 2011
9 / 21
Setting Up iodine
.
The plan: well run iodine on animal.foss.ntua.gr Well set up a new zone, .iodine.foss.ntua.gr, and delegate all requests to that zone, to the server running iodine(animal). To set up the new zone, we must add this to the .foss.ntua.gr zone conf le(at foss.ntua.gr server, running the primary authoratitve BIND for the zone): io IN NS animal.foss.ntua.gr. We use a small subdomain name, in order to give upstream trac more space.
April 13, 2011
9 / 21
Setting Up iodine
.
The plan: well run iodine on animal.foss.ntua.gr Well set up a new zone, .iodine.foss.ntua.gr, and delegate all requests to that zone, to the server running iodine(animal). To set up the new zone, we must add this to the .foss.ntua.gr zone conf le(at foss.ntua.gr server, running the primary authoratitve BIND for the zone): io IN NS animal.foss.ntua.gr. We use a small subdomain name, in order to give upstream trac more space. Now, we reload BIND(rndc reload on foss.ntua.gr). And were ready to go! :)
April 13, 2011
9 / 21
Running iodine
.
On the server side, well run iodined, specifying a password, the subdomain well use, and an IP iodine will use inside the tunnel: ./iodined -P secretpassword 10.0.10.1 io.foss.ntua.gr
April 13, 2011
10 / 21
Running iodine
.
On the server side, well run iodined, specifying a password, the subdomain well use, and an IP iodine will use inside the tunnel: ./iodined -P secretpassword 10.0.10.1 io.foss.ntua.gr On the client side: ./iodine -P secretpassword io.foss.ntua.gr
April 13, 2011
10 / 21
Running iodine
.
On the server side, well run iodined, specifying a password, the subdomain well use, and an IP iodine will use inside the tunnel: ./iodined -P secretpassword 10.0.10.1 io.foss.ntua.gr On the client side: ./iodine -P secretpassword io.foss.ntua.gr Now we have set up a working (tun) tunnel. The client will get an IP close to the servers IP, and they should be able to ping each other.
April 13, 2011
10 / 21
Network conguration
.
Of course trac is unencrypted, and we cant trust all the DNS relays our trac possibly goes through. Thus its a good idea to set up another secure tunnel(either with OpenVPN or with OpenSSH).
April 13, 2011
11 / 21
Network conguration
.
Of course trac is unencrypted, and we cant trust all the DNS relays our trac possibly goes through. Thus its a good idea to set up another secure tunnel(either with OpenVPN or with OpenSSH). For a VPN channel, the routing table would be like this: ip route add animal.foss.ntua.gr via default.gateway ip route add my.vpn.server via animal.foss.ntua.gr ip route add default via my.vpn.gateway
April 13, 2011
11 / 21
Network conguration
.
Of course trac is unencrypted, and we cant trust all the DNS relays our trac possibly goes through. Thus its a good idea to set up another secure tunnel(either with OpenVPN or with OpenSSH). For a VPN channel, the routing table would be like this: ip route add animal.foss.ntua.gr via default.gateway ip route add my.vpn.server via animal.foss.ntua.gr ip route add default via my.vpn.gateway We could have also used an SSH tunnel instead. Whatever we choose, we are now ready to bypass NTUA Wi Captive Portal(hopefully :P)!
April 13, 2011
11 / 21
Network conguration
.
Of course trac is unencrypted, and we cant trust all the DNS relays our trac possibly goes through. Thus its a good idea to set up another secure tunnel(either with OpenVPN or with OpenSSH). For a VPN channel, the routing table would be like this: ip route add animal.foss.ntua.gr via default.gateway ip route add my.vpn.server via animal.foss.ntua.gr ip route add default via my.vpn.gateway We could have also used an SSH tunnel instead. Whatever we choose, we are now ready to bypass NTUA Wi Captive Portal(hopefully :P)! (and maybe use netperf for bandwidth benchmarks ;)
April 13, 2011
11 / 21
Outline
. 2
. 3
April 13, 2011
12 / 21
Captive Portals Basics

.
Usually deployed with Wi hotspots, to restrict access to the Internet Captive Portals redirect an HTTP client to a special web page, before it can access the Internet(usually for authentication purposes)
April 13, 2011
13 / 21
Captive Portals Basics

.
Usually deployed with Wi hotspots, to restrict access to the Internet Captive Portals redirect an HTTP client to a special web page, before it can access the Internet(usually for authentication purposes) There are many dierent implementation, which redirect the client with various techniques: > HTTP Redirection: a rewall intercepts the HTTP request by the client, and forwards it to the redirect server, which responds with a HTTP 302 status code. > IP Redirection: the request is redirected on the layer 3 level(IP) by a rewall. > DNS Redirection: all DNS queries are answered by the DNS server within the local (wireless) network, and the answer is always the IP of the captive portal.
April 13, 2011
13 / 21
Outline
. 2
. 3
April 13, 2011
14 / 21
Bypassing Captive Portals

.
There are several ways to bypass a captive portal, for instance its not very dicult to nd unpatched Windoze hosts within the network. :P Besides that, many captive portals authenticate users based on their IP/MAC, making thus IP/MAC spoong work too. And of course DNS tunneling! :)
April 13, 2011
15 / 21

.
There are several ways to bypass a captive portal, for instance its not very dicult to nd unpatched Windoze hosts within the network. :P Besides that, many captive portals authenticate users based on their IP/MAC, making thus IP/MAC spoong work too. And of course DNS tunneling! :) Not all captive portals/congurations can be bypassed with DNS tunneling, ie if the captive portal uses DNS redirection, we wont be able to use DNS tunneling.
April 13, 2011
15 / 21

.
There are several ways to bypass a captive portal, for instance its not very dicult to nd unpatched Windoze hosts within the network. :P Besides that, many captive portals authenticate users based on their IP/MAC, making thus IP/MAC spoong work too. And of course DNS tunneling! :) Not all captive portals/congurations can be bypassed with DNS tunneling, ie if the captive portal uses DNS redirection, we wont be able to use DNS tunneling. However, if a captive portal uses HTTP/IP redirection, its almost certain that well be able to issue DNS queries to the local DNS server, which then will relay the replies back to us. If DNS tunneling doesnt work, we can also use ICMP(ping) tunneling, which is very similar as a concept to DNS tunneling.
April 13, 2011
15 / 21
Outline
. 2
. 3
April 13, 2011
16 / 21
Countermeasures for DNS tunneling

.
If a captive portal allows DNS lookups by the clients, theres not much admins can do to prevent tunneling.
April 13, 2011
17 / 21
Countermeasures for DNS tunneling

.
If a captive portal allows DNS lookups by the clients, theres not much admins can do to prevent tunneling. Setting up rewall lters to check for suspicious hostname lookups or TXT/NULL records may help, but it can by risky (ie blocking valid DNS trac by mistake) Or you can have an admin sning all day DNS trac, and searching for suspicious packets. :P
April 13, 2011
17 / 21
Outline
. 2
. 3
April 13, 2011
18 / 21
Conclusion
.
DNS tunneling can be a very eective way to bypass captive portals(or rewalls).
April 13, 2011
19 / 21
Conclusion
.
DNS tunneling can be a very eective way to bypass captive portals(or rewalls). Howerver, it comes with a cost in bandwidth/perfomance, and connection is not always very stable. Nevetheless, we usually have enough bandwidth to browse the Web, or check our mail, for free! ;)
April 13, 2011
19 / 21
Outline
. 2
. 3
April 13, 2011
20 / 21
Questions?
April 13, 2011
21 / 21
Questions?
. .
Thank You!
April 13, 2011
21 / 21
Questions?
. . . .
Thank You!
Now lets try to hack NTUA Wi! ;)
April 13, 2011
21 / 21

Dnstunnel Presentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dnstunnel Presentation

Uploaded by

Copyright:

Available Formats

Tunnel IP trac through DNS, to bypass captive portals(or rewalls)

Stratos Psomadakis psomas@ece.ntua.gr

Free Open Source Software Community National Technical University of Athens

April 13, 2011

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Basics

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Basics

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Basics

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Basics

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

DNS Tunneling Limitations

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011

Stratos Psomadakis (foss@ntua)

Bypassing captive portals with tunneling Part 1

April 13, 2011