On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.
Will you please elaborate and provide a high level overview of how DNSSEC can be used for infiltration or tunneling?
It is my understanding that DNSSEC is just a cryptographic hash that clients can verify by calculating their own hash over the results for the same query. As such, nothing is actually hidden. 1) You know the outbound query, 2) you know the inbound reply + DNSSEC signature, 3) you know the algorithm used to generate the hash, and 4) you validate the DNSSEC signature. So, what about that is hidden?
I fail to see how DNSSEC can be a covert channel, even if there is manipulation in what key is used. Unless you're expiring & modifying the ZSK about once a second so that you can change things and try to hide using something like steganography. Even then, I'm not sure how well that would work.
-- Grant. . . . unix || die _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
