Sometimes you see a clearly unencrypted wifi access at the airport or at a cafe that allow you to connect to their network without requiring the encryption key. But when you want to see a website, you get a pop-up asking you to get a fee to make an online search through their Access Point or you get a webpage asking you a username and password to browse the internet.
In these types of networks, typically name resolution queries are allowed upwords. Because if you are not able to resolve a host name, your browser would not display any website. So usually host name lookup is allowed by these providers to provide access to their pay-to-get site pop-up, and then they put a filter to allow or block the wesite.
To exploit this setup, you can tunnel all the outgoing traffic trough DNS. To know how this will work, you must have a little bit idea about DNS first. A DNS make name resolution possible using some resource records. The common resource records, to understand this senario, are NS(name server), CNAME(canonical name) and A(host). To resolve a hostname myserver.com to an ip address 192.168.10.12, you have to create a A resource record in DNS. NS is used to identify the Name Server and CNAME is just an alias for a A record.
These resource records are stored on providers Name Server and typically you don't have permission to handle these records. But to setup DNS tunnel, you must have right to modify the records. To make it possible you can delegate all the requests with a subdomain to a new name server, on which we have permission to make changes to records. It means all the request to your IP will be sent to you ISP name server and will also be redirected to your own name server. All requests with a certain subdomain are usually relayed your host, which then answers these requests
How It Works!
In this process, you own a domain that you control and setup some DNS resource records. You run this special DNS server online and run a special client program on your PC. This client program works as a web proxy. It takes the packet data from your browser and breaks it up into a bunch of DNS requests and sends to your special DNS server. That DNS server converts the DNS requests back into packet data and sends them to the web site.When the website sends packets back to the server program, the DNS server turns that data into TXT records and sends it back to your special client program.
To demonstrate dns tunneling in a LAN environment, We need two backtrack machines. We will use iodine, available in backtrack, as a dns tunneling tool. One backtrack machine will act like a server (the dns server controlled by us) and will run iodined and another backtrack machine will run iodine to act like a client (the user accessing internet).
The traffic between client and server will be dns traffic, bypassing firewall restrictions. The traffic between the server and the target website will be the normal traffic.
So first check if you firewall allow dns traffic to pass or not. To check it just open terminal and type nslookup google.com.
Now you need to start the iodine server. To do this, open terminal and change directory to /pentest/backdoors/iodine.
Now type ./iodined -f 192.168.10.1 subdomain.domain.com
ii) f – to run iodine in foreground
iii) 192.168.10.1 is the ip address of this end of dns tunnel, that iodine will set as dns0
(To show dns tunnel interface, type ifconfig dns0. After running server)
We completed the server setup. Now its time to set our client machine. To do this, open terminal on client backtrack and type the following command--
/pentest/backdoors/iodine#./iodine -f security.koenig-solutions.com
Optionally, you can specify your public ip address in real environment
Type the ifconfig dns0 command to check the dns tunnel