It is done (well, for various definitions of the word “done”). Here, at the
Black Hat Briefings, I’ve finally
assembled and packaged my collection of DNS manipulation tools…and, as I’ve
been known to do, rewrote much of of my slides (major changes — deep
discussion of DNS Source Routing). Here’s the summary conclusions from the
end of the talk:
1. DNS is globally deployed — you use it as a client, you probably depend on it as a server.
2. As the rest of IP networking has become progressively more and more filtered, DNS’s level of interconnectivity has (for important functionality reasons) remained constant, and in some ways outstrips the services offered by a completely unfirewalled host.
3. This connectivity can be used to offer a range of services, from encrypted VPN-style linkage, to a completely silent but remotely addressable trojan horse, to an unexpectedly useful distributed caching audio system.
4. DNS should not be disabled, re-engineered, blocked, or heavily interfered with at this time — but perhaps we can start paying closer attention to its traffic.