Just to be more clear. DNSSEC records can contain any content and can be used for infiltration/tunneling. E.g. If you request DNSKEY record (you can encode your request in fqdn) you will get it exactly "as is". Intermediate DNS servers do not validate the records. So instead of "standard/usual" TXT records you can use DNSKEY to pass data from a DNS remote server.
Vadim > On 17 Jun 2018, at 10:07, Grant Taylor via bind-users > <bind-users@lists.isc.org> wrote: > > On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote: >> DNSSEC can be used for infiltration/tunneling (when you get data from a DNS >> servers) but there is a catch that such requests can be easily dropped. > > Will you please elaborate and provide a high level overview of how DNSSEC can > be used for infiltration or tunneling? > > It is my understanding that DNSSEC is just a cryptographic hash that clients > can verify by calculating their own hash over the results for the same query. > As such, nothing is actually hidden. 1) You know the outbound query, 2) you > know the inbound reply + DNSSEC signature, 3) you know the algorithm used to > generate the hash, and 4) you validate the DNSSEC signature. So, what about > that is hidden? > > I fail to see how DNSSEC can be a covert channel, even if there is > manipulation in what key is used. Unless you're expiring & modifying the ZSK > about once a second so that you can change things and try to hide using > something like steganography. Even then, I'm not sure how well that would > work. > > > > -- > Grant. . . . > unix || die > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
