On 06/17/2018 11:18 AM, Vadim Pavlov via bind-users wrote:
Just to be more clear. DNSSEC records can contain any content and can be used for infiltration/tunneling.
Ah. I think I see.
E.g. If you request DNSKEY record (you can encode your request in fqdn) you will get it exactly "as is". Intermediate DNS servers do not validate the records.
You aren't talking about using the DNSSEC mechanisms to {in,ex}filtrate data as much as you are talking about {ab}using the resource records that DNSSEC uses as a vector to hide data.
So instead of "standard/usual" TXT records you can use DNSKEY to pass data from a DNS remote server.
ACK Thank you for the explanation. -- Grant. . . . unix || die _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users