Description
Contents
1 DNS Tunnelin
1.1 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Tunneling, as intended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Tunneling, not as intended . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Tunneling, in the project . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 DNS server
2
3 Program Input/Output
3
3.1 Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2 Output
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 Guidelines
4
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 DNS Tunneling
1.1 DNS
DNS (Domain Name System) is a service that converts hostnames to IP addresses among
others. It is an application layer protocol that allows users and servers to exchange
messages. DNS provides another way to identify hosts than their IP address, as IP
addresses can change over time and are difficult to remember.
Nowadays, DNS is deployed everywhere and many protocols rely on it for their own
operation, making it one of the central pillars of the Internet.
1.2 Tunneling, as intended
Tunneling is a method for transporting data across a network using protocols that are
not supported by that network. In the network layer, tunneling works by encapsulating
IP packets (header + payload) inside (i.e., as payload of) other IP packets. This can
1be used to carry IPv6 packets in a network that only supports IPv4 for example. Thus,
tunneling is nothing else than an extra level of encapsulation. Therefore tunneling can
in principle be used to encapsulate any protocol (of any layer) into any other protocol.
1.3 Tunneling, not as intended
Tunneling can also be used to “sneak through” a firewall, using a protocol that the
firewall would normally block, encapsulated inside a protocol that the firewall does not
block, such as DNS, ICMP, or HTTP. As this usage is most of the time not expected, the
client and the server are often specifically configured to understand the encapsulation in
place and use the encapsulated protocol afterwards.
1.4 Tunneling, in the project
For this project, you are going to implement a simple pair of client-server able to perform
DNS tunneling. You already completed a client prototype in the project first part, now
in the second part, you will implement a DNS server.
To use DNS tunneling, the DNS client forges a specific DNS query with a payload
(here the question) encoded according to an encapsulated protocol agreed between the
DNS client and the DNS server. The (adapted) DNS server is designed to understand
this unusual query, react accordingly, and reply to the DNS client. An intermediate
firewall will just see normal DNS exchanges and will likely allow them, thus allowing
any kind of forbidden data exchanges.
2 DNS server
Your DNS server will listen to TCP connections on port 53 and be able to handle multiple
connections at the same time (multi-threading!). When a connection is established, you
will pass the newly created socket to a new thread and handle the following actions in
this new thread:
- Wait for data until data arrives, connection is closed by the client, or more than 5
seconds have passed without activity (timeout).
- Try to read as many bytes as specified in the DNS TCP header (first 2 bytes). If
there were not enough bytes sent, wait for 5 seconds without activity and close the
connection.
- Consider the read bytes as a DNS query, parse it and check if all the variable length
indicators are fully respected, if not, close the connection.
- Fully parse the DNS query. If there is a format error, reply with a valid DNS
response without answer and with response code (RCODE) set to “Format Error”.
- 2 Check that the DNS query contains only one question of type TXT with a name fol
lowing this pattern: <tunneled data encoded in base32>.<owned domain name>.
If this requirement is not respected, reply with a valid DNS response without an
swer and with response code (RCODE) set to “Refused”.
- Decode the “tunneled data” from base32 into a valid URL (base32 padding will be
omitted, you need to handle this case). If the URL is not valid, reply with a valid
DNS response without answer and with response code (RCODE) set to “Name
Error”.
- Perform an HTTP GET request (use a library such as java.net.HttpURLConnection)
sent to the decoded URL. You should receive a valid HTTP response in text char
acters. Otherwise, reply with a valid DNS response without answer and with
response code (RCODE) set to “Name Error”.
- Encode the HTTP response content in base64 to ensure that all transmitted char
acters are in ASCII format.
- Verify that the encoded content does not exceed 2 16 − 1 bytes. If it exceeds this
size, reply with a valid DNS response, with a TXT answer containing the first
2 16 − 1 characters of the encoded HTTP response, and with the response code
(RCODE) set to “Name Error”.
- Craft and send a valid DNS reply with an answer and the HTTP response content
encapsulated in TXT RDATA of the payload.
For a simple URL with not too much content, try https://example.com/.
3 Program Input/Output
3.1 Input
Your server can be launched using the following command: java Server <owned domain
name>, where “owned domain name” is a valid domain name under the responsability
of your server. Thus, the server will only successfully reply to queries addressing this
domain and its subdomains. For example :
- java Server tnl.test
3.2 Output
The output of your program will follow a strict format written to stdout. It will print one
line for each query received. This format is similar to the question printed in your client
output, this is: Question (CL=<IP of the direct client>, NAME=<domain name to
query>, TYPE=<question type>) => <reply code>, where names between <…> must
be replace accordingly. For example :
3Question (CL=192.168.0.27, NAME=nb2hi4dthixs6yjomjss6mjopbwwy.tnl.test, TYPE=TXT) => 0
Question (CL=192.168.0.45, NAME=test.truc.be, TYPE=A) => 5
