Sunday, January 20, 2008

Hotspot web browsing over DNS

Public wifi hotspots are starting to get a little smarter. I've noticed more networks blocking ICMP. While ICMP is normally used to test if machines are alive and perform other diagnostic tasks, it can also be used as an alternate channel. Several tools are freely available which create an IP tunnel over the ICMP protocol. If you're not familiar with this idea, check out this paper for a more thorough description.

So, lets take this idea of tunneling over ICMP and think about the current hotspot configuration. One thing hotspots haven't considered is IP over DNS. I've confirmed at several hotspots that the prior to paying for service a user can performing the following:

  1. You can perform DNS resolutions to the default DNS server

  2. You can perform DNS resolutions to an arbitrary DNS server.

The main problem is item #2. By allowing DNS lookups to arbitrary DNS servers you are creating an opportunity for an alternate channel over DNS requests.

Consider the following:
Mobile Laptop
-The mobile laptop is configured with a proxy of localhost:<some port>
-A proxy application is running on the laptop which accepts web requests, inserts them into the data of a dns request and forwards them over port 53 to a remote DNS server

Remote Server
-A remote server is configured with a proxy application which accepts dns requests and pulls the web request from the data portion of the dns packet
-The server application makes the web request, receives the response
-The server wraps the response into a dns response message and sends it back to the laptop

Mobile Laptop
-The proxy application receives the response and sends it to the browser.

The end results would be full web browsing that is tunneled over dns request/response. There really is no reason why you couldn't expand this idea to a full TCP/IP connection tunneled over DNS. That would just take a little bit more work.
-Michael Coates