DNS hacks with added value
The internet's name resolution system is more flexible than many think. Some hacks currently demonstrate some nice tricks with Twitter and DNS. In one, a service from any.io queries Twitter through DNS. For example, the command
host -t txt codepope.twitter.any.io
will retrieve the most recent status tweet from the user codepope. The trick is simple. The answer to the DNS query is returned as a text snippet embedded in the TXT record. The name server for twitter.any.io takes the requested host name and parses it as the user "codepope"; it then retrieves that user's last tweet and sends it back as a DNS response. To query identi.ca users just ask the authoritative server for identica.any.io for say "codepope.identica.any.io". You can perform a similar trick with Wikipedia over DNS from Windows:
nslookup -type=txt cheese.wp.dg.cx
The useful part is that many fee-based Wi-Fi networks will allow DNS queries to pass through even though the network may be closed to other traffic.
The concept is not new though. Over ten years ago, Julien Oster and Florian Heinz demonstrated the Name Server Transfer protocol (NSTX) which allowed an entire IP connection to be tunnelled through DNS. To provide such a service though, one must configure a name server for a particular domain and configure it so that it correctly interprets requests and delivers the appropriate responses.
See also:
- Exploit code with DNS tunnel, a report from The H.
(djwm)