search

SkyzohKey / kanet

Automatically exported from code.google.com/p/kanet
GNU General Public License v3.0
0 stars 0 forks source link

no DNS tunnel protection #4

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Hello,

I like the design of kanet, well job !
But I think there is a small security issue : it seems that there is no DNS 
tunnel protection.

Some possible solutions I see :
- implement basic DNS resolution in kanet, for resolving captive portal, 
listening on a non standard UDP port (ex : 5353)
- add an iptable rule for non authenticated clients requesting UDP 53 to be 
redirected to kanet DNS server (port 5353)

Best regards,
G. Husson.

Original issue reported on code.google.com by gautier....@gmail.com on 2 May 2011 at 11:49

GoogleCodeExporter commented 8 years ago 
Hi,
I never worked with UDP, but it seems possible.
Let's assume we used bind on 5353 for non authenticated users and needed 
addresses and DnSMasq as usual on 53
We push all dns request to kanet to be marked .. or not.
$IPT -t mangle -A PREROUTING -p UDP --dport 53 -i $NTINT -j QUEUE

All "no marked" (no authenticated users) dns request are forward to the limited 
DNS.
$IPT -t nat -A PREROUTING -p UDP --dport 53 -i $NTINT -m mark --mark 0 -j DNAT 
--to-destination $IP_PRIVATE:5353
I'm not really sure kanet can understand UDP packet, tests need to be done.
This will increase kanet stuff.

Cyrille.

Original comment by cyrille....@pixtogram.com on 5 May 2011 at 9:57