On Fri, 2002-05-10 at 13:44, Christian decoder Holler wrote: > Several Desktop-Firewalls for Windows, such as Tiny > Personal Firewall 2.0 or ATGuard, maybe also others, allow > DNS resolving by default. That allows reversed trojans to > connect to a server on port 53 and send/receive commands > and informations without the user knowing it. The firewall > permits any communication to any server on port 53 UDP. I > wrote a small trojan in VB and tested it with Tiny Personal > Firewall 2.0 and it worked. > > Solution: Change the default rules for DNS to a fixed host, > for example to the DNS server of the ISP or the DNS server > in the local network. Unfortunately that does not prevent tunnels through DNS. Sophisticated tunnels slip data through DNS requests (typically for a domain where a rogue DNs server is answering, as a tunnel endpoint). Data is piggybacked on the queries/responses. These tunnels don't care through which DNS server you send the request, ISP or local. In either case the request queries the root server for the gtld server, which refers to the rogue authoratative DNS server when finally the packet hits the pocket in the socket on the port... Only DNS query scrubbing through some kind of smart DNS content proxy can prevent DNS tunnels. Are there any available yet? Let me know if you find a decent one... Regards, Frank
This archive was generated by hypermail 2b30 : Sat May 11 2002 - 16:28:17 PDT