Show HN: Use DNS TXT to share information
dig +short TXT youpay.govorenefekt.com @1.1.1.1 | fold -s
You can base64 encode an image, split to TXT records and send over Internet. Useful in certain circumstances. Like when one of the communicating parties is under severe censorship.
93 comments
[ 182 ms ] story [ 1092 ms ] threadhttps://man.freebsd.org/cgi/man.cgi?query=fmt
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/f...
So, at minimum, it's of medium difficulty?
The order of records associated with a name is undefined, so if you spread your data across multiple records, you need to add ordering metadata.
The total size of the records must be less than 64 KiB - they have to fit within a DNS message, which has a limited size.
You can put all your 64K ish data into one TXT record, but it has to be split into strings of up to 255 bytes.
You can invent your own record type to contain raw binary data without the sequence-of-strings requirement.
You can use multiple names (eg, numbers) to get past the size limit and to be explicit about the correct order.
[1] https://github.com/yarrick/iodine
https://github.com/yarrick/iodine
[0] https://mosh.org/
It's more typical now to return the A records, and then route all IPs to a portal server until you login. Logged in sessions get to go forth to the internet.
https://github.com/yarrick/iodine
Or IP-over-DNS
I couldn't find the talk, but I found this nice article: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-ca...
https://dyna53.io/
What if the censor hijacks DNS queries. This is also done outside the realm of censorship, e.g., hotel wifi networks.
[0] Bizarre and Unusual Uses of DNS. https://fosdem.org/2023/schedule/event/dns_bizarre_and_unusu...
[1] https://news.ycombinator.com/item?id=34939809
---
[1] well, it's not really hackery if you're being pedantic, since it's doing what the spec allows it to do
[2] DNS Toys (946 points): https://news.ycombinator.com/item?id=31704789
$ dig +short -t txt current.cvd.clamav.net "0.103.8:62:26972:1689593340:1:90:49192:334"
For anyone interested, Freshclam interprets this as:
Latest ClamAV version: 0.103.8 Latest Main DB version: 62 Latest Daily DB version: 26972 UNIX Timestamp 1689593340
...and then some other version numbers and things I don't remember, one is probably a bytecode DB version 334, f-level 90 maybe.
Anyway, nothing new, works as designed. You can do all kinds of neat tricks with it. DNS has a lot going on that most people don't (ab)use.
So a man in the middle could prevent updates from happening, and freshclam wouldn't even throw a warning?
From https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex... - "DNSSEC can protect any data published in the DNS, including text records (TXT) and mail exchange records (MX)"
So when wikipedia says DNSSEC can protect, that's the permissive can. Like things can happen. But don't rely on it.
Just that their dnsquery() via freshclam daemon is not using val_res_query() when pulling in the version number, so it is unverified DNS querying going on … over there.
[1] https://dnssec-analyzer.verisignlabs.com/clamav.net
This mean, any TXT record can easily be spoofed via a simple transparent MitM packet munging.
https://dnssec-analyzer.verisignlabs.com/current.cvd.clamav....
When it's better to just delete and replace a comment.
https://news.ycombinator.com/item?id=36171696 - "Calling time on DNSSEC: The costs exceed the benefits"
Digging into the code of freshclam, source of libfreshclam.c, dnsquery() function call, it is painfully evident that freshclam daemon does not do basic DNSSEC when performing res_query().
Instead, freshclam should be calling `val_res_query()`.
They are currently using ‘res_query()’.
An hour or two may be a huge difference in preventing a viral spread, but at least in my experience is it is tough to rely on DNS propagation below the hour line. Seems like an odd technical choice to me.
And yet it "works" and as the OP mentioned for a long time. Often we get so conditioned to a security response we forget that basic security often relies upon a "simple" and inexpensive solution. Using DNS in this way is a best effort scenario that offloads work to servers designed for this purpose and for an open source project so you use what you have.
Oh, and there is a failover to https if the record is over three hours old.
https://docs.clamav.net/faq/faq-troubleshoot.html
https://www.cloudflare.com/learning/dns/dns-records/dns-srv-...
In my experience, bypassing censorship does not mean doing unusual things like this but things like browser extenstions that stego your message in legitimate requests .
I've been noodling on how to build a simple proxy off DNS to test on my next flight.
https://github.com/yarrick/iodine
https://www.softether.org/1-features/1._Ultimate_Powerful_VP...!)
Otherwise there's https://github.com/yarrick/iodine
Edit: seems like others have recommended it already. I got it working in a hotel room once after giving up on the utterly broken ToS acceptance page for the WiFi.
The neat thing about iodine is that it even works when you don't even have access to your home/whatever destination IP address due to the firewall redirecting packets to their server. It uses their resolver as a proxy to access a nameserver that you control, allowing you to exfiltrate data and get an uncensored connection.
(From the opener to https://www.wired.com/2008/11/ff-kaminsky/ )
I still use them at work to provide hints and more information but the current fleet of IT workers don’t really grok anything beyond A and PTR.
You’re just using DNS as intended. :-P
Part of this, though is also who is "in control" of the server.
Most of the times, DNS is on the other side of the bastion, managed by Network Ops, and out of reach of Joe Developer. Perhaps a reasonable situation, fat finger DNS and Bad Things can happen. However, Joe Developer has carte blanche access to things like HTTP servers and with that they were allowed to go hog wild.
So, the innovation in the HTTP space exploded as it was a safer place to dabble to the point that every solution was viewed through the lens of HTTP.
In the end, devs don't know DNS because they don't need to know DNS, and even if they did, the Powers in NetOps weren't going to let them have their grubby fingers on it anyway.
My belief is that TXT and HINFO saw declining use within an org as Microsoft Windows DNS Server usage grew[1][2][3].
1. Windows DNS Server hides those records behind a sub-menu item.
2. Windows DNS Server attracted noobs (a good thing, I suppose). Heck, these days, we give low/middle-tier IT workers DNS server access (via DnsAdmins group), which is crazy in my mind, but nonetheless common.
3. Crusty, old admins were better at typing yy in vi and changing the record type when creating new records in BIND (old DNS software).
Takes me back to rendering zone files using perl. The times they have changed.
It is actually adding to my argument. The NSA and any other government entities REALLY WANT to control these certificates. However, our interaction with CAs became much more secure now because we learned and developed things like CT logs. Major browsers are removing entire CAs from their trust store if shady stuff happens ASAP. You can’t do the same with TLDs. This argument is made frequently on here, why would you even want to propose to regress into stuff like DANE…? DNS servers are such a bad trust anchor, if you could even call it a trust anchor at all.
If you want to discuss further, I ask you to stay on topic instead of name calling.
If you're asking "Why do we need CA's when they already control the DNS record for that domain" then the answer is that DNS doesn't natively even have any cryptography involved, your DNS server can serve any information it wants, and this is common practice in IT environments.
Effectively speaking MITM'ing dns is relatively easy and common as it's the equivalent to HTTP.
So you don't know that the answer you are receiving it actually from the owner of that domain. If they sent you a certificate you don't know if that's an attackers certificate or the owner's certificate.
The CA system is a (very imperfect) method of verifying ownership by having a trusted third party do the ownership verification. This way the certificate the owner gives you is effectively "notarized" so to speak.
tl;dr - DNS has no built-in signing or encryption, and is "MiTM'd" by design. It's common practice for your DNS server to be set to your company's DNS server, your ISP, etc. And those can send any response they want, and you have no way to authenticate if it's been modified or not.
https://letsencrypt.org/2020/02/19/multi-perspective-validat...
But should you do crazy things like this? Absolutely not!
DNS is notoriously prone to MITM, injection, cache poisoning, DoS, etc. DANE and DNSSEC are horrible bodges that don't actually do anything useful or in a secure way.
Even though it's the foundation of almost everything we try to do securely, including the basis for TLS DV certificate (totally fungible, regardless of a hundred or so certificate authorities, including many located in authoritarian regimes!) validation:
DNS is absolutely and irredeemably broken forever, from a security perspective, and can never be fixed. As tempting (and easy) as it is to hack on it or treat it as an ultra-fast and extensible UDP remotely-accessible lookup database, just don't. (It just needs to die in a fire, probably along with SMTP.)
Unfortunately, even if someone came up with some system that could credibly replace it, that system would inevitably have a LOT of privacy and censorship trade-offs, so DNS is what we're stuck with.
Just stay very aware of the risks of encoding anything security-related inside DNS and try to minimize your reliance on it as best you can.
Adoption is extremely poor, usability is horrible, and the approach used is quite dated, but I'm not sure DANE and DNSSEC are insecure. Did you have a reference on the latter?
As a side note, anything security related exists in the reality of uncertainty. It is expected that sharing properly secured secrets is reasonably safe, but day after day we discover "we didn't know". Sometimes simplicity for a particular application is worth certain amount of risk.
Sometimes, you need to take the server out of its box, out of the bunker, and plug it to both the power distribution network, and of course... a LAN...
For quick reference: - https://en.m.wikipedia.org/wiki/Hesiod_(name_service) - https://jpmens.net/2012/06/28/hesiod-a-lightweight-directory...
It's even worse now, even on an air-gapped network, because the underlying insecurity is still within DNS. DNS would make a great highly-scalable authn DB for non-UNIX accounts (not in the Hesiod sense, but more in the modern web-app sense), except for all of the other high-scalable and secure authn DB's that aren't built on top of woefully insecure tech.
> It is expected that sharing properly secured secrets is reasonably safe
As you know, though, this is why Diffie and Hellman invented public key exchange -- because sharing secrets, even properly secured, is actually not reasonably safe at all in most circumstances. Even if you secure the secret, it's the communication of those secrets during the sharing where everything breaks down. (https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc...)
This is of course because a secret is not a secret as soon as you share it with someone else. Instead, DH designed their key exchange to have a private key, that only you know, and a public key that you can share. Each party can derive a shared key using the other's public key, but only they each know their private key.
> Sometimes, you need to take the server out of its box, out of the bunker, and plug it to both the power distribution network, and of course... a LAN...
Even though perfect security is obviously impossible, it's still worth striving for. Relying on DNS for more than absolutely necessary is choosing to rely on technology that began without any thought to security and ended up with a history of massive, Internet-wide vulnerabilities. (See elsewhere in the thread for a great Wired article on Dan Kaminsky's successful attack on all of DNS.)