IN TXT & NULL trash records

Joe Abley jabley at
Thu Nov 22 19:10:20 UTC 2018


The carriers I was talking to were seeing IP tunnelled within
protocol-correct DNS queries and responses, including short, unique
QNAMEs, not just IP over 53/udp. The same technique would presumably
work just fine over DoH and other stub-resolver private channels
making the nameserver really the first opportunity to classify and
react to the traffic if it can be reasonably fingerprinted.

Resolverless DNS provides yet more potential opportunities to
exfiltrate routable packets, potentially behind a layer or two of
network defences around the HTTP/TLS termination machinery. Of course
you'd still need to find a DNS-later endpoint that was reachable
through any web namespace protections that evolve , etc.


> On Nov 22, 2018, at 10:13, ѽ҉ᶬḳ℠ via Unbound-users <unbound-users at> wrote:
> I have read the following story about VPN tunnelling over port 53 at a mobile carrier but that is related to routing and I would trust that unbound is not the tool/place to control/analyse routing or be in charge of network traffic/package payload control, though bind features >  rate-limit { responses-per-second ;    } <
>> Back in 2015 I discovered by accident that VPN traffic through port 53 on Verizon was not monitored by whatever they use to calculate data usage. Even better, it worked on deactivated sim cards for a few months after they were deactivated. Basically this meant I could dig around in the local Verizon store's dumpster every few months to find sim cards, pop them into a portable hotspot, and use a VPN over 53 for completely free, unthrottled data on Verizon without even having an account with them. I was a broke high school student and my parents wouldn't allow me to have service on my phone at the time so this was a life saver.
>> Fast forward to a couple months ago, someone else gets root on the mifi 6620L, finds the loophole, and decides to sell mifi's with a VPN client or proxy installed that redirected everything through port 53. Basically resulting in a seamless experience for free unlimited data. These hacked devices sold for $300+ on eBay. Of course, after it was in the wild Verizon started DPIing port 53 and now nothing gets through.
>> On 22.11.2018 15:07,  via Unbound-users wrote:
>> I happened to hear from some DNS operators at some mobile carriers the other day who are scratching their heads about DNS tunnelling; they zero-rate DNS traffic for a variety of sensible reasons, but some of their more cunning customers have noticed that if they stop caring so much about performance, zero-rating DNS traffic can be turned into zero-rated mobile data.
>> It sounds like outlier identification (to find the unusually talkative mobile terminals) and rate-limiting (to make tunnelling painful without stamping too hard on DNS resolution) are the tools people have to work with. It might be nice if there were some convenient recipes for tuning unbound to do that kind of thing (from the perspective of the DNS operator/carrier, I guess, not the mobile terminal user).
>> Joe

More information about the Unbound-users mailing list