Mastodawn

Joe Fahs 22h ago

In today's episode of "Can It Run Doom": DNS fucking TXT records.

Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.

RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.

Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.

blog: https://blog.rice.is/post/doom-over-dns/

repo: https://github.com/resumex/doom-over-dns

Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.

It was always DNS.

#infosec #dns #doom #itisalwaysdns

kajer :notverified:1d ago

@k3ym0 new cloud storage just dropped

kajer :notverified:1d ago

@k3ym0 big DNSFS energy

https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-storage-dnsfs

DNSFS. Store your files in others DNS resolver caches

Talya (she/her) 🏳️‍⚧️✡️1h ago

@kajer @k3ym0 i was thinking of BookmarkFS
https://github.com/velzie/bookmarkfs

GitHub - velzie/bookmarkfs: Exploit chrome's profile sync for free cloud storage

Exploit chrome's profile sync for free cloud storage - velzie/bookmarkfs

GitHub

B'ad Samurai 🐐🇺🇦1d ago

@k3ym0 you may already know this, but on a related note you can tunnel basically any IPv4 traffic over DNS: https://code.kryo.se/iodine/

kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel)

iodine is a free (ISC licensed) tunnel application to forward IPv4 traffic through DNS servers (IP over DNS). Works on Linux, FreeBSD, NetBSD, OpenBSD and Mac OS X.

Jeroen Baert 1h ago

@tarix29 @k3ym0 we used this in uni when data caps were reached... but dns resolves were still allowed :)

Stuart Longland (VK4MSL)1h ago

@tarix29 @k3ym0 Hmm, IPv4 and MD5… hello 1991!

nackmack 20h ago

@k3ym0 shit like this makes me glad I no longer work in #cybersec

@k3ym0
IP over DNS has been a thing for a while now, sometimes used to bypass captive portals for paid internet access

#infosec #dns #doom #itisalwaysdns

"Musty Bits" McGee 17h ago

@sabik @k3ym0 ...go on?

Ben Aveling 1h ago

DNS outbound tends to be allowed even when other protocols are not. If you run your own DNS server you can use DNS to tunnel any traffic you want. @sabik @arichtman @k3ym0

Simon Dassow 17h ago

@k3ym0 Doom Network Service 🎉

k3ym𖺀 11h ago

@simondassow Doom-aaS?

Danielius Goriunovas // dago 16h ago

@k3ym0 shit. Time to do Bad Apple on DNS.

Aris Adamantiadis

💲Paid 15h ago

@k3ym0 The concept is very old, I was using dns2tcp to have free wifi on plane trips in 2010 and even before during pentests. Long TXT replies trigger red alerts on most intrusion detection systems nowadays.

Renalia - #1 pizza downloader 14h ago

@k3ym0 now... can it do deathmatch over doom over dns? :3

Tor Lillqvist 13h ago

@k3ym0 For quite a loose definition of "run".

Wolf480pl 13h ago

@k3ym0
> covert data exfil channel

as if iodine wasn't already a thing

@k3ym0 "good luck if you're not doing deep DNS inspection"

iodine, dnscat, and literally every other DNS tunneling technique that has existed in the past 20-ish years: lol. lmao, even.

Still, quite impressive, but saying this shit is a hard to detect covert channel is unmitigated bullshit.

k3ym𖺀 9h ago

@da_667 iodine and dnscat also have 20 years of signatures, known patterns, and detection logic baked into tooling. This doesn't.

But honestly that's beside the point. "Detectable" and "detected" are two very different sentences. iodine has been detectable for 20 years and I've watched it walk right out of enterprise networks that had no idea. Known technique != mature detection coverage in the median org.

SMB's are running Server 2008r2 with a Watchguard FW and a prayer. Mid-market is logging DNS at the firewall level and calling it done.

"Detectable in theory by a mature SOC" and "hard to detect in most real environments" are not mutually exclusive statements.

* Cries in DoH-allowed-networks *

/point
/laugh

Yeah, I tend to agree with this take. Reliably catching techniques like DNS tunneling, DGA, etc., looks trivial until you try it on noisy real world networks with all sorts of idiosyncratic constraints, and also when you realize that what we consider "trivial" is often considered "impractical" or "impossible" for most real world orgs.

@DaveMWilburn @k3ym0 I'm well aware that trying to base your detection on shannon entropy is an exercise in futility, as most cloud providers have the "malware to ops DGA that looks like its very malicious" down pat. But I will still say, if you suddenly are getting assloads of TXT records with the same domain in common, so long as you have DNS logs at all, you can probably do some form of statistical analysis and notice that this number of DNS TXT records from one place looks really fucking jank.

@DaveMWilburn @k3ym0 I'm also somewhat aware that, there are some services that use TXT records for validation (SPF), and I've heard that some apple services use them for their messenger programs. I've also seen Sophos doing incredibly dumb things with TXT records, but my point still stands is that if you have any capacity for DNS logs, then shit like this sticks out like a sore thumb.

However, I can acknowledge my experiences and yours are two different things. Thats fine. I can be wrong.

@k3ym0 DNS haiku just got a lot bloodier...

Karl Auerbach 8h ago

@k3ym0 I used to have the entire text of the Magna Carta in TXT records in a subdomain.

Even during the early 1990's on the Interop show networks we discovered people streaming lewd stuff via DNS-looking UDP packets.

(Another channel that we used, but it only works on a LAN, is to use the space between the end of a short IP packet and the end of the enclosing Ethernet frame. [Short IP packets are smaller than the minimum size of Ethernet frames.] This was largely used for license key exchanges.)

@k3ym0 "Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well."

Doesn't work anymore for a decade. Most serious companies don't allow DNS queries to servers outside of their network. The only endpoints allowed to do that are the corporate internal DNS.
With DoH I'm also not sure that will work because of the corporate web proxy.

To make data exfiltrations there are so many easy ways to do so ... Why spending time to make something over DNS when you can simply upload the files or exploit USB keys, it's not hard to bypass FW and EDR policies.

k3ym𖺀 1h ago

Most serious companies don't allow DNS queries to servers outside of their network.

Oh my sweet, sweet, child. If only this were true. I could name-drop several multi-billion $ enterprise orgs that still don’t do this.

Jonathan Yu 7h ago

@k3ym0 This post is wild but the stuff people are sharing in the comments is great hahaha

poetaster 7h ago

@k3ym0 Jeez. We were abusing DNS as http proxy caches in 1993. Some people were doing chat over DNS. Some of them WERE the engineers who were involved in standardization.

Methylzero 6h ago

@k3ym0 I have always wondered where the "power source" they are tapping Hell for in DOOM came from. Turns out it was the DNS engineers engineers spinning in their graves all along.

Retrofan 64 6h ago

@k3ym0 this is similar to how DeCSS (DVD decryption code) was distributed over 25 years ago when there was an attempt to suppress it online.

gloriouscow 5h ago

@k3ym0 Not DOOM, but this has been one of Infoblox's favorite sales demos for ages.

"Check out all this information we can exfiltrate from your network directly from a web browser via only DNS queries" always gets people's attention

Stadler BLÅHAJ Evowo

@k3ym0 oh we may be able to make it worse...doom via standards-compliant dns direct content serving (assuming https://datatracker.ietf.org/doc/draft-dns-content-delivery/ goes through)

DNS-Based Content Delivery & Fallback Mechanism

This document specifies a mechanism for serving content, such as HTML or JSON, directly via DNS TXT records. This feature is intended as a fallback mechanism when a primary service (A/AAAA record) is unreachable, or as a lightweight hosting solution for parked domains to display landing pages without requiring active HTTP servers or individual SSL certificates. Trust is established via DNSSEC, allowing browsers to treat the content as secure.

IETF Datatracker

@k3ym0 I was at Defcon 12 when Kaminsky demoed sending voice over DNS. Glad to see the tradition continue.

LittleAlex 🇺🇦🇮🇱🇩🇪🇳🇴4h ago

@k3ym0 interesting vector to deploy malware

@k3ym0 Think of all the times you've wanted to take a shotgun to DNS. Now you can. Or a chainsaw.

Pseudo Nym 3h ago

DNS: "Tell them it was me."

https://imgflip.com/i/ans5i3

Always Has Been

An Always Has Been meme. Caption your own images or memes with our Meme Generator.

Imgflip

@k3ym0 DOOM over DNS, never thought I'd see the day.

neopossum_floof

Ibly 🏳️‍⚧️

@k3ym0 in today's episode of "this is lazy ai vibe-coded slop":

@EeveeEuphoria @k3ym0 when i don’t know C# i go to msdn.microsoft.com and figure things out instead of doing anything i can to avoid learning. Kids these days 🙄

Microsoft Learn: Build with answers in reach

Find official documentation, practical know-how, and expert guidance for builders working and troubleshooting in Microsoft products.

Tzimisce Flesh 2h ago

@[email protected] @k3ym0 Screams and fades into dust.

@EeveeEuphoria oh noooo 😭

Tiota Sram 2h ago

@k3ym0 image ID: a screenshot of the setup in action, showing DOOM being played in one window while a terminal widow shows ASCII art reading "DOOM OVER DNS" plus other output.