DNS TXT records represent vulnerability for caching DNS servers

Posted on October 27th, 2010 Dan

… And now there’s an easy way to exploit it to leach bandwidth. Since TXT records are now deprecated in the DNS (Domain Naming System) specification, administrators of public caching dns servers would be advised to place limits on number of TXT records and hostnames for a domain, or just disable the use of txt records entirely as they mostly were used as a temporary method of authenticating other DNS servers while they rolled out the official Sender ID (Microsoft) and Sender Policy Framework (same as Sender ID), essentially an attempt gain some control over who connects to DNS servers (and ostensibly block out spammers and other undesirables from connecting) using the public key certificate signing chain of trust.

How ironic that this the very thing Microsoft pushed for in the DNS specification enables distributed, free content distribution that will be VERY difficult to contain, because shutting down the official domain host (the host that is authoritative for that DNS record) will have only a delayed effect on the downstream cached files! HAHA.. that really blew up in your faces, didn’t it?   You actually increased the opportunity for spammers to deliver content anonymously!

There will be obvious indicators that caching dns servers are being used as a CDN but it will require some usage analysis and behavior profiling for hosts.  But really I think we should just disable DNS TXT records entirely.

Spam is a nuisance but this type of command and control overreaction goes way beyond what can be considered a reasonable rseponse to spam.  Anti-spam technologies should not hinder free access to data, centralize power, or introduce more vulnerabilities or additional points of failure into any network service.

It will be interesting to see if the replacement for the TXT records (SPF records) will allow arbitrary text blocks. My guess is they will, since they must contain large blocks of encrypted text for keys. (SPF Specification)

My DNS server does no caching, so this is not really a concern for me. But read on . I think you will find this very interesting…

Free Content Delivery Network using DNS cache (ByteWorm)

Why spend money on expensive CDN hosting when there’s a perfectly good, free, global one available? Thats right, DNS cache. Most open recursive DNS servers will cache requests (A, CNAME, PTR, TXT, etc.) for the length of the specified TTL value, and there’s millions of them worldwide. Once a public DNS server has the records in cache (usually after a single request), it requires no further bandwidth from the originating server.

Unfortunately there’s a limit to the size of a record a DNS server will cache, and a limit to the length of the DNS packet itself. To store files using DNS cache we must encode the file and split it into multiple records. We’re going to use TXT records for this example, which is limited by 255 characters.

file1.part1.cdn 14400 IN TXT
"ICAgICAgQ2FuYWRhIEludmFzaW9uIFBsYW4KICAgIFRPUCBTRUNSRVQg
IENPTkZJREVOVElBTAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL
QoKU3RlcCAxKSBBcm0gYmVhdmVycyB3aXRoIHJpZmxlcwpTdGVw"

file1.part2.cdn 14400 IN TXT
"IDIpIFRyYWluIG1vbmtleXMgdG8gam91c3QKU3RlcCAzKSBQcm9maXQ
KCldlIGhhdmUgYSBncm91cCB0aGF0IG1lZXRzIEZyaWRheXMgYXQgbWl
kbmlnaHQgdW5kZXIgdGhlCmJyb29rbHluIGJyaWRnZSBhbmQgdGhlIHBh"

file1.part3.cdn 14400 IN TXT
"c3N3b3JkIGlzIHNpYyBzZW1wZXIgdHlyYW5uaXMuCg=="

The receiver simply has to request all parts of the file, reassemble, and decode it. I’ve included an example program that does just that (both CDN client and server).

# ./server --path example_data
...

# ./client --domain virtserve.com --list
Inode      Size         Path
------------------------------------
4068250    254          Epicfail.txt
4068229    283          Important_Plan.txt

# ./client --domain virtserve.com --get 4068250
<gh0st-> epicfail.c?
<matja> bysin wrote that
<bysin> its 3000 lines of nothing but preprocessor macros that turns gcc into a tetris game
<matja> if you distcc it, can you play multplayer?
<bysin> hold on, i'll #include you on the next round
<matja> thx

In the program above, the first request for a file uses the CDN server and any subsequent requests do not, since the public DNS server has it in cache. I look forward to seeing streaming videos via DNS in the future.

Click here to download the DNS CDN Source Code


 

77 Responses to “DNS TXT records represent vulnerability for caching DNS servers”

  1. I don’t think TXT records are deprecated. It is just that SPF records are the new “correct” way to handle that kind of information.

  2. I’m glad you said this. You’re right, something to the effect of “the use of TXT records for SPF data is deprecated” would be more accurate. But I don’t know why caching name servers would ever allow the use txt records. They should be completely deprecated.