Domain Keys Overloading
SPF is not the only protocol to overload existing DNS fields. Another anti-spam solution, Yahoo! Domain Keys (DK), uses two levels of overloading. First, DK defines a reserved hostname: _domainkey. For example, Yahoo! uses _domainkey.yahoo.com. The TXT field associated with this reserved hostname includes information related to DK authentication.
$ host -t txt _domainkey.yahoo.com
_domainkey.yahoo.com descriptive text "t=y\; o=~\;
n=http://antispam.yahoo.com/domainkeys"
OzymanDNS Overloading
At the 2004 Black Hat Briefings security conference, Dan Kaminsky demonstrated a set of tools called OzymanDNS. The Aska and Geta tools in OzymanDNS overload A, TXT, and CNAME fields with data. Using these tools, entire files can be distributed and stored on DNS servers. Kaminsky's presentation at Black Hat included playing an audio file that he had distributed across a few thousand DNS servers. Each server held a few bytes of data.
Custom DNS
The functionality in BIND (and other common DNS servers) is well defined. The same DNS query will return the same DNS results; however, the implementation is independent of the protocol. Custom DNS servers do not need to return the same information each time; a custom DNS server could return different information based on the request source or time of day. For example, an administrator could configure a custom server to return real-time network and host status in the TXT fields. A covert channel could easily hide information within a DNS response.
In this tutorial:
- Domain Name System (DNS)
- DNS Common Uses
- Hostname-to-Address Mapping
- Common Lookup Tools
- Naming Confusion Attack Vectors
- Dotted Names
- Name Formatting
- Exploited Anonymity
- Mail Servers
- Sender Policy Framework Overloading
- Domain Keys Overloading
- DNS Protocol
- Packet Information
- Simple DNS Server
- Distributed Architecture
- Top Level Domain Servers
- Generic Top Level Domain (gTLD)
- Secondary Level Domain (SLD)
- Primary and Secondary Servers
- Caching Servers
- DNS Management
- DNS Direct Risks
- DNS Performance versus Security
- DNS Cache Poisoning
- Corrupt DNS Packets
- DNS Domain Hijacking
- DNS Server Hijacking
- Dynamic DNS
- Similar Hostnames
- Domain Renewals
- Hostnames
- Zone Transfers
- Host Listing
- DNS Fields
- Mitgation Option
- Technical Threat Mitigation
- Social Threat Mitigation
- Defining Trusted Replies