Originally posted at the Tor bug tracker & wiki. Moved here on as a result of Tor's transition from Trac to Gitlab and the deprecation of the wiki.
Last updated: .
'0'
as a padding character instead of '='
.d
data-carrying query and gets back an empty l
length response; or sends an empty r
query and gets back a d
data-carrying response.l
responses encode the number of server-queued messages.up
) or receives a piece of data (down
), not both.pending
A record in the Additional section.p
ping packet.The terms "quarter duplex", "half duplex", and "full duplex" describe how the upstream and downstream data channels may be used simultaneously, or not. Quarter duplex is not a standard term, but half duplex and full duplex are. The table below shows what I mean by them. Suppose the client has 3 pieces of data to send (UP1, UP2, UP3) and the server also has 3 pieces of data to send (DOWN1, DOWN2, DOWN3).
Quarter duplex | Half duplex | Full duplex |
---|---|---|
[UP1] --> <-- [ok] [poll] --> <-- [DOWN1] [UP2] --> <-- [ok] [poll] --> <-- [DOWN2] [UP3] --> <-- [ok] [poll] --> <-- [DOWN3] |
[UP1] --> <-- [DOWN1] [UP2] --> <-- [DOWN2] [UP3] --> <-- [DOWN3] |
[UP1] --> [UP2] --> <-- [DOWN1] [UP3] --> <-- [DOWN2] <-- [DOWN3] |
In a single query–response exchange, either the query carries data, or the response carries data, but not both. Sending and receiving 3 pieces of data requires 6 sequential roundtrips. | In a single query–response exchange, both the query and response may carry data, but queries and responses must serialized in a ping-pong fashion. Sending and receiving 3 pieces of data requires 3 sequential roundtrips. | Both queries and responses may carry data, and there is no requirement for one exchange to be finished before starting another one. Sending and receiving 3 pieces of data requires 3 roundtrips, but they may be interleaved. |
DNS tunnels work either at the transport layer (netcat-like) or at the network layer (VPN-like). The network-layer ones have the implementation advantage that they don't have to worry about reliability, because retransmissions etc. are handled by lower-level kernel procedures.
Upstream queries are more squeezed for bandwidth than downstream responses. Although the protocol syntactically permits sending any number of entries in the Question section, in practice the only supported value is QDCOUNT=1.
A single DNS name has a maximum length of 255 bytes (RFC 1035 §2.3.4). However, a name is composed of labels, each of which is a maximum of 63 bytes (or 64 bytes if including the length prefix). And the name's null terminator byte is counted in the limit as well. So it's really only 250 usable bytes. And from that you have to subtract the length of the name suffix that the DNS server is actually authoritative for.
Technically, any 8-bit value can be part of a name label. However RFC 1035 recommends [A-Za-z][A-Za-z0-9-]*
for compatibility. Additionally, you can't rely on uppercase/lowercase being preserved (Google Public DNS, among others, may randomize letter case). So you have to encode somehow; base32 or hexadecimal suffices but better efficiency may be possible.
Supposing base32 encoding and 20 bytes for the length of the server's domain name suffix, the most raw data you can send in a single query is about 140 bytes. (Even if upstream queries may contain only one entry in the Question section, it may be possible to stuff extra data into the other sections. EDNS queries have an OPT resource record in the Additional section—but that one only has hop-by-hop meaning, and isn't forwarded by a recursive server to an authoritative server. But perhaps some possibilities exist.)
It's easier to pack data into responses than into queries. Responses have to echo the original question, but they can contain multiple resources records for that query in the Answer section, not to mention the Additional section. You can have multiple resource records of the same or differing types, but the order of resource records within a section is not guaranteed. Resource records can be of any type (A, AAAA, MX, CNAME, etc.). A resource record has a maximum data length of 65535 bytes, but most of them have a fixed format that's shorter than that; e.g. A is 4 bytes and CNAME is up to 255 bytes. The TXT type seems practical: it's a byte sequence of any length up to the 64K limit. (The dnscat2 docs say that the Windows DNS client can't handle '\0'
bytes in TXT records, but that shouldn't be a problem if you use a custom client.) The NULL type is marginally more efficient than TXT, but is marked "experimental".
The overall length of a DNS response message cannot be more than 65535 bytes. This holds whether using UDP with EDNS (the UDP payload size field is 16 bits, and anyway that's the largest IP datagram size); or TCP (messages are preceded by a 16-bit length field). In the absence of EDNS, UDP responses are supposed to be limited to 512 bytes. But as EDNS has good support, the MTU is likely a bigger consideration than any DNS-imposed length limitations. A common value for the EDNS length field is 4096.
dnscat2 is a DNS tunnel. It works at the socket layer. Its intended use is as command-and-control on a compromised machine; to that end it provides a lot of pentesting-oriented functionality like session management and high-level commands like "send a file". It also has a raw tunnel mode.
type=A,AAAA
with the --dns
option).packet_id
to each query to prevent caching.packet_id u16 message_type u8 (= 0x00) session_id u16 initial sequence number u16 options u16 session name null-terminated string
packet_id u16 message_type u8 (= 0x01) session_id u16 seq u16 ack u16 data []u8
packet_id u16 message_type u8 (= 0x02) session_id u16 reason null-terminated string
dnscat2.pcapng
server: ruby ./dnscat2.rb --dns 'host=127.0.0.1,port=5353,domain=example.com' --security open
client: ./dnscat --no-encryption --dns=server=127.0.0.1,port=5353,domain=example.com
Starts with a MESSAGE_TYPE_SYN exchange. The session ID is 48ac. The client and server choose initial sequence numbers of 9037 and 7643 respectively. The client additionally sends a session name of !command (happy).
Client and server exchange empty MESSAGE_TYPE_MSG packets while the connection is idle. (Notice SEQ and ACK don't change.)
Now the server has 17 bytes to send. (It happens to be a command to send the contents of the file "dnscat.c", but the details aren't important.) The client has randomly chosen the CNAME response record type, so the server has to format its data as a domain name.
The client sends 101 bytes. Notice the client's ACK has advanced 17 bytes from 7643 to 7654. The data is long enough that the client has to use multiple labels in the DNS name. The server's response advances the ACK from 9037 to 909c.
TUNS is an IP-layer (VPN-like) tunnel described in the paper "On Robust Covert Channels Inside DNS" by Lucas Nussbaum, Pierre Neyron and Olivier Richard. It works at the IP layer (VPN-like). Compared to other tunnels, TUNS aims for better compatibility with existing servers, at the expense of efficiency. (The paper claims that characters such as '_'
and '/'
, as used by iodine and dns2tcp, are not standards-compliant, but that's not quite true: they are just outside of the maximum-compatibility set recommended by RFC 1035. The authors acknowledge this in the "Future Work" section.)
'0'
as a padding character instead of '='
.d
data-carrying query and gets back an empty l
length response; or sends an empty r
query and gets back a d
data-carrying response.l
responses encode the number of server-queued messages.Taken from Fig. 2 of the paper.
d
for data, l
for server queue length; r
for data requestThe client sends d data. The server responds with an l indicating that it has 4 responses in its queue.
The client sends r data requests to drain the server's queue. The server sends back d data responses.
When the server's queue is empty, it sends back the pseudo-data zero
. (Distinguishable from actual base32 data by its lack of padding, I suppose?)
OzymanDNS is a suite of DNS tools. droute.pl (client) and nomde.pl (server) implement a tunnel. It implements more of a netcat-like interface, but the code is old and crufty and doesn't work out of the box. Described in the talk "Black Ops of DNS" from 2004 (pages 12–17).
up
) or receives a piece of data (down
), not both.pending
A record in the Additional section.
ozymandns.pcap
server: ./nomde.pl -i 127.0.0.1 -L myservice:127.0.0.1:8000 example.com
client: ./droute.pl -r 127.0.0.1 myservice.example.com
also needs netcat listener on port 8000 and ozymandns.patch
The nomde.pl server supports more than just DNS tunneling, so you have to scope your tunnel requests under a distinguished subdomain (here myservice
).
up
or down
)
The session is using session ID 35765. Here the client has sent no data and the server has sent back 12 bytes in response. The first byte 0 of the pending
A record indicates that the server has no further data queued at the moment.
Now the client has 18 bytes to send. It encodes them into an A query. The first byte 18
of the server's answer just echoes the number of bytes received.
Now the client wants to send 273 bytes, which it splits up into 110+110+53.
Now the server has 298 bytes to send, which it splits up as 220+78. After the first send, the client increments its count of received bytes from 12 to 232 and the server indicates that it has 1 further response queued.
iodine is a network-layer DNS tunnel. It has a lot of features, like password authentication, compression, and auto-probing of features like server case sensitivity and the MTU.
abcdefghijklmnopqrstuvwxyz012345
)'-'
and '+'
in place of '+'
and '/'
) if the server is case-preserving'_'
in place of '+'
)a-zA-Z0-9\xbc-\xfd
) if the DNS path preserves case and the high bitp
ping packet.
iodine.pcap
server: iodined -f -l 192.168.0.64 -P password 10.0.0.1 example.com
client: iodine -f -r -P password -I 50 192.168.0.64 example.com
The iodine trace is more complicated than I want to walk through fully.
The first byte of queries indicates the type: v
means version, l
is login, s
is switch codec, etc. Hex digits 0-9a-f
represent a user ID and indicate an actual data packet (which means there can only be 16 simultaneous users of the tunnel).
Here is a sample data transaction. The client and server have negotiated the base128 codec and the NULL record type. The client with user ID 0
sends a data packet and the server responds with no data (just a two-byte data header \xa0\x20
). Note the client signals support for EDNS in the Additional section.
Here the client sends a p
ping message. The server responds with a blob of unencoded data.
[A-Za-z0-9_-]
).[A-Za-z0-9/-]
).