Dan Kaminsky a couple of years ago did a talk about this, as well as using DNS to cache files...<p><a href="http://byteworm.com/2010/10/27/free-content-delivery-network-using-dns-cache/" rel="nofollow">http://byteworm.com/2010/10/27/free-content-delivery-network...</a><p>Exfiltrating using DNS, or VPN over DNS and the various other techniques are not new.<p>They do show how difficult it is to police data from leaving ones network.
This seems to use base64, DNS is case insensitive so really it should use base32 or some other encoding scheme. However DNS is usually case preserving so it will likely work.<p>Unless the recursive nameserver in use happens to implement this hack for improved security:
<a href="http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00" rel="nofollow">http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00</a>
Don't just get files, use DNS for Command and Control too.<p><a href="http://blog.strategiccyber.com/2013/06/06/dns-command-and-control-added-to-cobalt-strike/" rel="nofollow">http://blog.strategiccyber.com/2013/06/06/dns-command-and-co...</a>
The author of sqlmap added DNS exfiltration for blind SQL injection last year. Really creative technique (DNS stack doubled the size of sqlmap code-base).<p>Paper: <a href="http://arxiv.org/pdf/1303.3047.pdf" rel="nofollow">http://arxiv.org/pdf/1303.3047.pdf</a><p>Slides: <a href="http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281" rel="nofollow">http://www.slideshare.net/stamparm/dns-exfiltration-using-sq...</a>
8 bytes at a time.<p>Wouldn't that mean 100's, 1000's or 10's of thousands of requests for nonsensical subdomains of the same domain name (and that domain name is probably a silly one if you got it recently for 10 bucks).<p>This is not anomalous DNS traffic? My imagination just does not stretch this far. If the title was just "Transfer a file via DNS", maybe I could play along.<p>I think nstx preceded iodine.<p>Here's another one no one has mentioned yet:<p><a href="http://www.skullsecurity.org/wiki/index.php/Dnscat" rel="nofollow">http://www.skullsecurity.org/wiki/index.php/Dnscat</a><p>What I'd really like to see is an implementation of lcamtuf's old, pre-cloud/dropbox idea: daemon caches, specifically recursive DNS caches, as free, (temporary) distributed storage. Anyone can store data for free on 100's of 1000's of networked computers worldwide, otherwise known as recursive DNS caches. Currently we only store "domain names" on these servers, but as the OP shows, it's possible to encode more information into requests than just domain names.<p>Imagine if the encoded data was an image. With most recursive DNS servers, the data expires upon the TTL expiry. Snapchat via DNS.
This is a hack of mine that stores files in public DNS caches. It's a horrible, hack and slow but it does work.<p><a href="https://github.com/ryancdotorg/dnsstore" rel="nofollow">https://github.com/ryancdotorg/dnsstore</a>
<p><pre><code> "When/if the network security team figures this out and
blocks it, I'll demonstrate a few other ways in which data
can be exfiltrated."
</code></pre>
I loved this line.<p>He mentions blocking there, but given the technique, could forensics show that this has been used? For example, could some future whistleblower for a national security agency (ours or anyone else's for that matter) use this to exfiltrate files without risk of discovery after the fact?<p>Could an organization like wikileaks or the guardian use this as a technique for whistleblowers to leak files safely?
People have been doing covert channels over DNS in the wild since <2001. Fast forward 12 years, and this is the new 'my first socket app'.
there was a related talk [1] at the usenix 2013 in which this (quite old i might add) method of information ex-filtration was analyzed.<p>bottom line: amateurs get caught.<p>[1] <a href="https://www.usenix.org/conference/usenixsecurity13/practical-comprehensive-bounds-surreptitious-communication-over-dns" rel="nofollow">https://www.usenix.org/conference/usenixsecurity13/practical...</a>
Could gifsockets be used to exfiltrate a file as well?<p><a href="https://github.com/videlalvaro/gifsockets" rel="nofollow">https://github.com/videlalvaro/gifsockets</a>