Mastodawn

Wil van Antwerpen Mar 26

In today's episode of "Can It Run Doom": DNS fucking TXT records.

Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.

RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.

Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.

blog: https://blog.rice.is/post/doom-over-dns/

repo: https://github.com/resumex/doom-over-dns

Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.

It was always DNS.

#infosec #dns #doom #itisalwaysdns

kajer :notverified:Mar 26

@k3ym0 new cloud storage just dropped

kajer :notverified:Mar 26

@k3ym0 big DNSFS energy

https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-storage-dnsfs

DNSFS. Store your files in others DNS resolver caches

Talya (she/her) 🏳️‍⚧️✡️Mar 27

@kajer @k3ym0 i was thinking of BookmarkFS
https://github.com/velzie/bookmarkfs

GitHub - velzie/bookmarkfs: Exploit chrome's profile sync for free cloud storage

Exploit chrome's profile sync for free cloud storage - velzie/bookmarkfs

GitHub

B'ad Samurai 🐐🇺🇦Mar 26

@k3ym0 you may already know this, but on a related note you can tunnel basically any IPv4 traffic over DNS: https://code.kryo.se/iodine/

kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel)

iodine is a free (ISC licensed) tunnel application to forward IPv4 traffic through DNS servers (IP over DNS). Works on Linux, FreeBSD, NetBSD, OpenBSD and Mac OS X.

Jeroen Baert Mar 27

@tarix29 @k3ym0 we used this in uni when data caps were reached... but dns resolves were still allowed :)

Stuart Longland (VK4MSL)Mar 27

@tarix29 @k3ym0 Hmm, IPv4 and MD5… hello 1991!

nackmack Mar 27

@k3ym0 shit like this makes me glad I no longer work in #cybersec

@k3ym0
IP over DNS has been a thing for a while now, sometimes used to bypass captive portals for paid internet access

#infosec #dns #doom #itisalwaysdns

"Musty Bits" McGee Mar 27

@sabik @k3ym0 ...go on?

Ben Aveling Mar 27

DNS outbound tends to be allowed even when other protocols are not. If you run your own DNS server you can use DNS to tunnel any traffic you want. @sabik @arichtman @k3ym0

Simon Dassow Mar 27

@k3ym0 Doom Network Service 🎉

k3ym𖺀 Mar 27

@simondassow Doom-aaS?

Danielius Goriunovas // dago Mar 27

@k3ym0 shit. Time to do Bad Apple on DNS.

@dago @k3ym0 We already had a rickroll over DNS on #38C3, by the team from @dns

@dago @k3ym0 @dns And I already was surprised, it wasn't bad apple, back then.

Aris Adamantiadis

💲Paid Mar 27

@k3ym0 The concept is very old, I was using dns2tcp to have free wifi on plane trips in 2010 and even before during pentests. Long TXT replies trigger red alerts on most intrusion detection systems nowadays.

Renalia - #1 pizza downloader Mar 27

@k3ym0 now... can it do deathmatch over doom over dns? :3

Tor Lillqvist Mar 27

@k3ym0 For quite a loose definition of "run".

Wolf480pl Mar 27

@k3ym0
> covert data exfil channel

as if iodine wasn't already a thing

@k3ym0 DNS haiku just got a lot bloodier...

Karl Auerbach Mar 27

@k3ym0 I used to have the entire text of the Magna Carta in TXT records in a subdomain.

Even during the early 1990's on the Interop show networks we discovered people streaming lewd stuff via DNS-looking UDP packets.

(Another channel that we used, but it only works on a LAN, is to use the space between the end of a short IP packet and the end of the enclosing Ethernet frame. [Short IP packets are smaller than the minimum size of Ethernet frames.] This was largely used for license key exchanges.)

@k3ym0 "Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well."

Doesn't work anymore for a decade. Most serious companies don't allow DNS queries to servers outside of their network. The only endpoints allowed to do that are the corporate internal DNS.
With DoH I'm also not sure that will work because of the corporate web proxy.

To make data exfiltrations there are so many easy ways to do so ... Why spending time to make something over DNS when you can simply upload the files or exploit USB keys, it's not hard to bypass FW and EDR policies.

k3ym𖺀 Mar 27

Most serious companies don't allow DNS queries to servers outside of their network.

Oh my sweet, sweet, child. If only this were true. I could name-drop several multi-billion $ enterprise orgs that still don’t do this.

John Timaeus Apr 1

Even if they don't allow queries beyond the internal servers. Guess what the internal servers are doing?
They are relaying the queries and answers.

Jonathan Yu Mar 27

@k3ym0 This post is wild but the stuff people are sharing in the comments is great hahaha

poetaster Mar 27

@k3ym0 Jeez. We were abusing DNS as http proxy caches in 1993. Some people were doing chat over DNS. Some of them WERE the engineers who were involved in standardization.

Methylzero Mar 27

@k3ym0 I have always wondered where the "power source" they are tapping Hell for in DOOM came from. Turns out it was the DNS engineers engineers spinning in their graves all along.

Retrofan 64 Mar 27

@k3ym0 this is similar to how DeCSS (DVD decryption code) was distributed over 25 years ago when there was an attempt to suppress it online.

gloriouscow Mar 27

@k3ym0 Not DOOM, but this has been one of Infoblox's favorite sales demos for ages.

"Check out all this information we can exfiltrate from your network directly from a web browser via only DNS queries" always gets people's attention

Stadler BLÅHAJ Evo

@k3ym0 oh we may be able to make it worse...doom via standards-compliant dns direct content serving (assuming https://datatracker.ietf.org/doc/draft-dns-content-delivery/ goes through)

DNS-Based Content Delivery & Fallback Mechanism

This document specifies a mechanism for serving content, such as HTML or JSON, directly via DNS TXT records. This feature is intended as a fallback mechanism when a primary service (A/AAAA record) is unreachable, or as a lightweight hosting solution for parked domains to display landing pages without requiring active HTTP servers or individual SSL certificates. Trust is established via DNSSEC, allowing browsers to treat the content as secure.

IETF Datatracker

@k3ym0 I was at Defcon 12 when Kaminsky demoed sending voice over DNS. Glad to see the tradition continue.

LittleAlex 🇺🇦🇮🇱🇩🇪🇳🇴Mar 27

@k3ym0 interesting vector to deploy malware

@k3ym0 Think of all the times you've wanted to take a shotgun to DNS. Now you can. Or a chainsaw.

Pseudo Nym Mar 27

DNS: "Tell them it was me."

https://imgflip.com/i/ans5i3

Always Has Been

An Always Has Been meme. Caption your own images or memes with our Meme Generator.

Imgflip

@k3ym0 DOOM over DNS, never thought I'd see the day.

neopossum_floof

Ibly 🏳️‍⚧️

@k3ym0 in today's episode of "this is lazy ai vibe-coded slop":

@EeveeEuphoria @k3ym0 when i don’t know C# i go to msdn.microsoft.com and figure things out instead of doing anything i can to avoid learning. Kids these days 🙄

Microsoft Learn: Build with answers in reach

Find official documentation, practical know-how, and expert guidance for builders working and troubleshooting in Microsoft products.

Tzimisce Flesh Mar 27

@[email protected] @k3ym0 Screams and fades into dust.

@EeveeEuphoria oh noooo 😭

Tiota Sram Mar 27

@k3ym0 image ID: a screenshot of the setup in action, showing DOOM being played in one window while a terminal widow shows ASCII art reading "DOOM OVER DNS" plus other output.

@k3ym0 paging @vampiress, @voltagex, etc. 👀

@k3ym0
“Those engineers are spinning in their graves”
1987 was less than 40 years ago and as far I can tell the author is still alive and active.

@Flo_Rian @k3ym0 Yep - first reaction: "Wait, who buried Paul Mockapetris alive?!"

Firehawke Mar 28

@k3ym0 While DOOM is a pretty effective demo, I can't help but feel NES ROMs, which run anywhere from 24KB to 512KB would have been even more effective (and would seriously piss Nintendo off in the process, for a double win)

the esoteric programmer Mar 28

@k3ym0 holy shit, awesome! this sounds like a passage from @pluralistic little brother, I can't spoil it any further, but it involves dns

Simon Hewison Mar 28

@k3ym0 I did long ago work out that DNS is jolly good at distributing fairly static hierarchical datasets, because it inherently caches. For instance, they were once used to route faxes to appropriate gateways on the old tpc.int email to fax service. I also worked out a postcode to address and postcode geocoding schema.

Artemysia Mar 29

@k3ym0 holy shit that is next level 'because I could'. Mad props.

Herr TurTur Mar 29

@k3ym0
Ho. Lee. Shit
Was it already encoded in morse code?
This clearly HAD to be done, but not by anyone i know.

Ted Lemon Apr 5

Far's I know, Paul Mockapetris is still with us... Maybe @MrDNS would know for sure.

@abhayakara @k3ym0

@k3ym0 THE DLLS ARE IN DNS

@k3ym0 I've just played with DNS settings for the first time in half a century's worth of life, so I'm both hella impressed and underwhelmed 😂😂😂

@k3ym0 lol thats some scary but super exiting reality.

@k3ym0 I just need to point out that I had nothing to do with this.