Dan Kaminsky Suggests Having Fun with DNS 212
boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)
No thanks, (Score:5, Insightful)
Nice ideas (Score:5, Funny)
Re:Nice ideas (Score:2, Funny)
use the DNS to store presentations (Score:4, Funny)
RTFPP? (Score:4, Funny)
Re:RTFPP? (Score:2, Insightful)
He does have a point.
Re:RTFPP? (Score:2, Offtopic)
Great Article (Score:5, Insightful)
Mark this as flamebait if you will, but come back in a while and read the comments, I promise there will be hardly any discussion of the paper.
Dan is obviously a very smart guy, I like his ideas about using http tunnel (it's a great program), I'm going to have to give some of these ideas a work out!
Bob
Re:Great Article (Score:5, Insightful)
Re:Great Article (Score:3, Interesting)
You're also right about the powerpoint, it would have obviously been much better for us if we'd been there to hear his presentation. It still gives us a good insight to
Re:Great Article (Score:3, Insightful)
Slides 1-10 of 44, and /.'s lameness filter sucks (Score:4, Informative)
This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements. This paragraph is random crap to keep TFLSLF happy, please ignore it. Getting this past TFLSLF was five times harder than copy-pasting the individual text elements.
Black Ops 2004 @ LayerOne
Dan Kaminsky
Introduction
What's On The Plate for Today?
/* char descrip[256] = "You'll see"; */
What is DNS
"Useful" Traits of DNS
(Very Very Abridged)
The whole presentation (Score:2)
OK, where's the "+1 Informative" mods? (Score:2)
Re:Great Article (Score:5, Interesting)
His techniques allow someone to set up a cryptographically secure network that most likely completely ignores firewalls. It features high bandwidth-high latency connection, low bandwidth-low latency connections and is virtually untraceable, even to both parties involved in the connection. An initial hostname and time would act as the 'phonenumber'. (By keeping a certain request alive, one can even implement a dailing service with TTL delay.) A message service is freely included.
It is virtually impossible to shut these networks down without replacing/patching dns. Not an easy task.
The bandwidth available to this network most likely exceeds that of most irc-botnets. Especially since the root servers are defending themselves against DDoS attacks.
The tools he's still developing might be able to trace these things but it will still require cooperation of dns server administrators (to get their logs). You will never get them all and you'll have a LOT data to process. Accorfing to this [internetnews.com] the ICS root server continuosly handles almost 8Mbps (and can handle upto 80Mbps) of traffic. I seriously doubt they can log that... (if so, transferring the logs would continually consume a healthy percent of the servers bandwidth.)
Pretty smart man indeed and very idealistic or shortsighted. Both the right and the wrong sort of people would pay a lot of money for that...
Anonimity is just starting... (Score:2)
a DNS-based network could provide a high-latency high-bandwidth madium. Just think about where you heard those two properties before: Freenet! A DNS based freenet might be very hard to stop indeed!
Re:Great Article (Score:3, Informative)
Re:Great Article (Score:3, Insightful)
(I directly name Zalewski in one of my apps; believe me, if I had seen this, I'd have credited him.)
--Dan
Re:Great Article (Score:2)
conducting conference calls through firewalls
by hijacking DNS servers, and you can use the
term "merits"?
Demerits maybe.
Re:Great Article (Score:3, Insightful)
What you're overlooking is, if Dan could have these ideas, so could someone else. By sharing his ideas publically, he's giving whitehats and blackhats a level playing field.
Consider also, many common auditing tools were once considered blackhat programs. For example, If Mr. Kaminsky had written scanrand in the late 90's / early 2000's, back when port scannin
Dan Kaminsky (Score:2)
1. Surround self with RFC's for core internet protocols.
2. Ingest large quantities of something very hallucinogenic, yet not very legal.
3. Give the RFC's the Fruit Fucker 2000 [penny-arcade.com] "rode hard and put back wet" treatment.
4. Put together a group of proof-of-concept tools that make intelligent people who have worked in networking for years say "Shit, just when I thought I knew this stuff
Re:Great Article (Score:2, Informative)
I don't have PowerPoint here either... Or OO.o.
Re:Great Article (Score:3, Informative)
Re:Great Article (Score:5, Informative)
Re:Great Article (Score:2)
Search Service (Score:5, Funny)
Re:Search Service (Score:2)
No, this is the fun sort of DNS abuse -- things like using a DNS server as a covert communication channel, with a data rate of a few bits per minute.
Another pointless piece of information: (Score:5, Funny)
Re:Another pointless piece of information: (Score:5, Funny)
1: Funny retort about clippy, modded +5 insightful
2: Serious post defending Power Point, modded -1 Flamebait
3: Humorous post about necessary height of a post to go over one's head, modded +2 interesting
4: Serious post questioning the connection between wooden posts and the stability of Microsoft Software, modded +2 Funny
Meta comment about the rediculousness of it all: Priceless.
Re:Another pointless piece of information: (Score:2, Funny)
You missed - Post about spelling bee champ in tears.
Re:Another pointless piece of information: (Score:4, Funny)
A Slashdotter who can't spell "ridiculous": inevitable.
Crazy! (Score:5, Insightful)
I could swear BIND and its config file is considered, along with Sendmail, one of the most convoluted programs in Internetdom. It, again along with Sendmail, is historically also one of the most bug-ridden and exploited.
And now someone is suggesting futzing around with it?! Why not just change your domain to "rootmeplease.com" and get it over with?
-Charles
Re:Crazy! (Score:2)
If you think they are on the same level, you didn't even bother reading anything about either.
Re:Crazy! (Score:4, Informative)
Re:Crazy! (Score:2)
A recent Slashdot article (or maybe it was one of the comments attached to the article) pointed out an easy cache-poisoning DoS attack on djbdns. Are you still sure you want to use it?
Re:Crazy! (Score:2, Informative)
In it someone did phase-space analysis of the PRNGs used in DNS, and combined it with a birthday paradox style attack. In it, an attack on BIND 8 was shown to be 100% likely to succeed, BIND 9 20% and DJBDNS was 30%.
However, if you read the rest of the article, it points out that DJBDNS also uses a strongly random source port for the query, making it significantly more resistant to the attack, as the attacker would have to guess
Re:Crazy! (Score:2)
Wrong. dnscache (from the djbdns package) is not vulnerable to poison [cr.yp.to] and never has been. You are probably thinking of previous versions of BIND.
Re:Put up or shut up. (Score:4, Interesting)
The djbdns security guarantee
I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns.
Examples of problems that do not qualify:
* Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)
Says it right there. It's a DoS attack that, by means of a series of specially-selected queries, forces worst-case behavior out of the caching algorithm.
Re:Crazy! (Score:3, Interesting)
how the fuck can you say djbdns is easier than bind? if i want an A record in bind it's "IN A" (see, easily understood). if you want the same in djbdns it's some cryptic characters that make no sense (and is, of course, undocumented, or was last time i needed it).
now the best part. there's MULTIPLE characters to do nearly the same thing. if i recall a + is a straight A record, and a @ (i think) is an
Re:Crazy! (Score:2)
Because I've used both, and after about a week of using djbdns, I found it to be easier to use. (Prior to that, I cringed at the thought of using tinydns-data's configuration format, but it's actually pretty easy once you get familiar with it.)
Re:Crazy! (Score:2)
Re:Crazy! (Score:2)
the documentation might have been there, but it sure as hell wasn't clearly linked on the main page of djbdns, as i remember spending an hour or two looking for it on cr.yp.to
as for the multiple charact
Re:Crazy! (Score:2)
Re:Crazy! (Score:2)
Re:Crazy! (Score:2)
another toy that sound cool on paper but really isn't that useful
Re:Crazy! (Score:3, Informative)
And why exactly is this an issue?
djbdns violates multiple RFCs (Score:2)
...and djbdns starts to look very non-standards-compliant.
Re:djbdns violates multiple RFCs (Score:2)
In any case, if you don't like how djbdns behaves by default, you can always go to http://tinydns.org/ [tinydns.org] and see what's available.
Re:Crazy! (Score:2)
Putting on blinder apparatus as we speak.
Re:Crazy! (Score:2)
SPF uses DNS TXT records, and doesn't need any special support from the DNS server. djbdns can handle SPF just fine.
Re:Crazy! (Score:2, Funny)
(Attribution forgotten, if anyone knows, please tell me.)
Re:Crazy! (Score:5, Funny)
Q: What is the difference between a sendmail.conf file and modem noise
A:
Re:Crazy! (Score:2)
Someday the utility of the DNS as a distributed name resolver will probably wane. Why not toy with alternative uses and recycle all that code and/or infrastructure?
Re:Crazy! (Score:2)
tho Sendmail got a lot easier to configure when m4 configuration became available, and lately bugs and patches have been few and far between.
Nasty Nasty HTML Version (Score:5, Informative)
Note: Was converted with *gasp*powerpoint so yes it is horrible
Paketto Keiretsu (Score:2)
Silly poster, the article's link to Dan's website brings you to the new tools (in "prebuild three"). Can someone please get a
Those are some seriously amazing gadgets in there, but I have to say I've yet to actually, you know, use one in any particular way.... yet I'm excited there are more out! I somehow want to know I could store knoppix in DNS even if I'm not likely to actually do it.
He has an excellent conclusion (Score:2)
Stuff = Cool
More Stuff Soon
This guy is amazing! Where does he come up with this stuff!
Re:He has an excellent conclusion (Score:2)
I'm only kidding you, of course...
Re:He has an excellent conclusion (Score:2)
Stuff = Cool
More Stuff Soon
This guy is amazing! Where does he come up with this stuff!
Probably from his refrigerator.
Re:He has an excellent conclusion (Score:2)
SPF and SPF+ work over DNS (Score:4, Informative)
The open source community's response so far has been SPF+ [listbox.com], which is essentially a technique of encoding the rules in TCL, which is served over DNS and executed on the mailserver. For obvious reasons, SPF+ will probably define the future of spam control on the internet.
Re:SPF and SPF+ work over DNS (Score:3, Interesting)
Putting TCL in DNS as a commonly used standard is a bit worrisome -- you'd have programmatic access to an execution context within any mail server. Not rejecting the idea outright -- but what are the functionality gains that justify such an ou
Re:SPF and SPF+ work over DNS (Score:2)
Read the D#$%$@#M links, people! You've been meta-trolled!
Ideuts.
Parent is a troll linking to a troll (Score:5, Informative)
Some of this stuff really makes alot of sense (Score:4, Interesting)
This guy proposes putting content (eg Knoppix) into DNS.
Why is DNS particularly not well suited for this kind of distribution mechanism?
Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
Where's the bad part of this idea?
Re:Some of this stuff really makes alot of sense (Score:4, Interesting)
Further, DNS would need to be upgraded. There is a good reason that short-term, experimental applications are better done at the ends; read the End-to-end arguments in system design [reed.com] for further insights.
Re:Some of this stuff really makes alot of sense (Score:5, Informative)
1) I think the requirement for caching sets of 4 byte IP addresses and 4 GB movies are quite different. Just because a system is good at one, doesn't mean it will automatically be good at the other. When I RTFA, the author made it quite clear that there was a 512-byte packet size limit, of which only around 50% could be useful for actual data. By the author's own estimation, it would take 35,000 DNS servers to host a single 700mb Knoppix image.
2) DNS is already an overloaded system, and his idea uses recursion, so it would place even more load on top of it.
If you think this is going to replace BitTorrent, you're off your rocker.
Re:Some of this stuff really makes alot of sense (Score:2)
I think the single point of failure is the biggest problem with using DNS as a way of distributing large amounts of information. It really DOESN'T make sense to do this with DNS when you can design something "like DNS" only more distributed.
Re:Some of this stuff really makes alot of sense (Score:2)
DNs is really, really, not designed for these types of payloads. You'd be far better off using a heirarchy of squid web caches than the DNS system for mass distribution of media.
Re:Some of this stuff really makes alot of sense (Score:5, Interesting)
Were that we could...
Why is DNS particularly not well suited for this kind of distribution mechanism?
Because DNS is designed to handle its hierarchical data, not massive amounts of content? The extra fields available in DNS are there fo, well, DNS related stuff.
Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
I know you meant the MPAA, not the RIAA, but I think their biggest problem will be letting go of their deep seated need for control, rather than bandwidth. They can afford the pipe. And I, for one, would be incredibly pissed off to find the RIAA (or any other commercial service) caching their stuff on MY name server.
I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
Like, say, USENET?
DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
We do. Millions of times a day. We use it every time we translate a name to an IP number. Looking up, say www.slashdot.org
Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
Highly unlikely. A highly effecient system dedicated to caching content will almost certainly be better than trying to do the same thing with DNS. It's simply not made for it.
Where's the bad part of this idea?
Inefficiency. Load on already stressed servers. Better existing solutions. Should I go on?
Dan's come up with some brilliant ideas over time. Definately A Geek's Geek. But this one sounds a lot more like one of his thought experiments than an actual proposal. Like directly burning CD's over an SSH tunnel...
Re:Some of this stuff really makes alot of sense (Score:5, Insightful)
There's millions of servers out there that we can interface with -- what's the impact of that? If nothing else, it's fun to be playing with something other than TCP headers
--Dan
P.S. A broom can be used to sweep the floor -- or to knock something out of a tree, or to scare off a wild animal, or to burn for heat. There's something to be said for separating common uses from "inherent purposes". HTTP was certainly never designed to host as much dynamic content as it does now!
Re:Some of this stuff really makes alot of sense (Score:3, Interesting)
Nor was it intended to do sessions (think webmail), and it doesn't do a very good job at those. RPC over HTTP (useful for interactive applications) is even worse; the HTTP headers can easily outweigh the payload. A stateful protocol (like FTP) would be a better fit for those uses.
Re:Some of this stuff really makes alot of sense (Score:2)
My thought experiment was -- how can we efficiently place an arbitrary amount of data in the DNS? The answer is to not respect the heirarchy ourselves but to simply distribute the chunks, scattershot, across large numbers of servers.
--Dan
Re:Some of this stuff really makes alot of sense (Score:5, Insightful)
What part of the word lightweight don't you understand?
PDF Link (Score:5, Informative)
On my ISP's very fast webspace, but please post mirrors in case they decide to pull the plug.
Re:PDF Link (Score:2)
Re:PDF Link (Score:2)
Please read the FreeCache FAQ [archive.org]:
We don't bother with files smaller than 5MB, as the saved bandwidth does not outweight the protocol overhead in those cases.
I know how to make a freecache link all by myself, but the PDF is only 1mb.. that's why I asked people to mirror it. It's too small to bother with a torrent, too small for freecache, but just the right size to throw up on your ISP webspace.
Where's the innovation? (Score:4, Interesting)
Re:Where's the innovation? (Score:2)
Re:Where's the innovation? (Score:3, Interesting)
Also, short term caching allows for unexpectedly useful distributed voice transmission.
--Dan
Sticking Knoppix distro in a DNS cache.... (Score:3, Interesting)
PDF version (Score:2)
anybody remember DNS MUDs? (Score:5, Informative)
dangerous ideas, just think of akamai dns problems (Score:2, Interesting)
Yea baby! (Score:4, Insightful)
We've got the Kaminsky protocol connected to the
DNS protocol
the DNS protocol's connected to the
UDP protocol
The UDP protocol's connected to the
IP protocol
Oh hear the word of the inefficient!
The second verse is left as an exercise for the reader. Please keep in mind that writing another verse is somewhat more productive than implementing the aforementioned Kaminsky protocol.
-Adam
Re:Yea baby! (Score:2)
-- Unknown
You have no idea how appropriate this is (Score:2)
SSH connects to HTTPtunnel's TCP proxy, which converts TCP to HTTP (another TCP protocol, but record oriented with all sorts of limitations). These HTTP packets are then captured by a DNS translator, which sends the packets out over UDP. The UDP packets route across the net, themselves encapsulated in IP, MPLS, and Ethernet, potentially bouncing off a local DNS server. They arrive, are decapsulated more times than I can count, and are event
Re:You have no idea how appropriate this is (Score:2)
You talk like multiple layers of encapsulation is something new. This just reeks of yet another way to dodge The Man and hide your filesharing traffic.
And by the way, I categorize somebody potentially using my internet facing DNS servers for covert file transfers in the "abuse", not "cool" category.
The only good that could come out of this is to force some sort of validation of your dns cache so it's truely a name resolution cache, and not a cache of pieces of some chump's favourite dvd.
What's n
Re:You have no idea how appropriate this is (Score:3, Interesting)
The DNS backchannel through a firewall, by abusing the heirarchy, is a real problem.
--Dan
Re:You have no idea how appropriate this is (Score:3, Interesting)
It's neat until you've gone into the next higher pricing bracket because someone decided to piggyback a bunch of other protocols on top of dns to your external name servers. Aside from breaking rfc, or causing a self-inflicted DOS, there isn't much you can do about it.
(On the other hand, this is a prime example why allowing recursive DNS requests externally is a bad idea.)
What I think is neat is stuff that's
Re:You have no idea how appropriate this is (Score:2)
Turned out I had just reinvented some stuff from a few years back, Alteon did similar things with dedicated hosts. There's actually some neat load balancing stuff w/ DNS inv
Great ideas! (Score:2)
Re:Win2k DNS (Score:2, Interesting)
I've never figured out how one of our network people was able to ACCIDENTLY add an NS record for one of our web servers instead of an A record, and I've definitely never figured out how it is that they couldn't understand what the problem was or how to fix it. They use Win2K on the DNS servers.
If it'd been Bind, they wouldn't have made the mistake in the first place, because there is no way you would accidently type "NS"
Re:Win2k DNS (Score:2, Insightful)
In other words kid, don't fuck with us old guys or we'll show you who knows shit!
Trollin trollin trollin... (Score:2)
That could be, but this post gets a very high TrollAssassin score from me. It's not that everyone should be an expert in everything, far from it. It's just that this post fits the troll profile a little too well. Let's do some analysis shall we?
First, we must keep in mind the motivation of the troll. The troll's mecca is getting people in a dicussion to waste their time by posting an insincere dumb statement/question that is sure to elicit heavy response. Let's br
Re:Only on Slashdot (Score:2)
Re:Win2k DNS (Score:4, Insightful)
Re:WTF Is This? (Score:4, Funny)
If you put the presentation in DNS it would not be a problem.
Re:oh wow! (Score:2)
OFFTOPIC? I WROTE THE SLIDES :-) (Score:2, Insightful)