Twiglets
Senior Member
BASE64 Over DNS
The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these “invalid” characters.
https://isc.sans.edu/diary
Malware can use special characters in DNS labels as a C2 channel.
BASE64 characters that are 'outside' the RFC1035 definition are: [5 chars in total]
?+/,=
(This includes all variants of BASE64 I found mentioned in a Wikipedia article on BASE64. https://en.wikipedia.org/wiki/Base64#Variants_summary_table)
Does anyone know if dnsmasq & unbound will ALLOW these invalid DNS names to be used ???
i.e. if a nameserver returns DNS data that includes 'invalid' names will it allow it & store the data in the cache.
I know that I can define an 'invalid' DNS name in dnsmasq by quoting the name in the 'address=' line in the config file.
[address=/"121212/?+/,=abcabc"/1.2.3.4 #### DO NOT COPY ..... This does work and dnsmasq gives NO error !!!]
I am asking before I start 'Breaking' things ... as is my wont !!!
The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these “invalid” characters.
https://isc.sans.edu/diary
Malware can use special characters in DNS labels as a C2 channel.
BASE64 characters that are 'outside' the RFC1035 definition are: [5 chars in total]
?+/,=
(This includes all variants of BASE64 I found mentioned in a Wikipedia article on BASE64. https://en.wikipedia.org/wiki/Base64#Variants_summary_table)
Does anyone know if dnsmasq & unbound will ALLOW these invalid DNS names to be used ???
i.e. if a nameserver returns DNS data that includes 'invalid' names will it allow it & store the data in the cache.
I know that I can define an 'invalid' DNS name in dnsmasq by quoting the name in the 'address=' line in the config file.
[address=/"121212/?+/,=abcabc"/1.2.3.4 #### DO NOT COPY ..... This does work and dnsmasq gives NO error !!!]
I am asking before I start 'Breaking' things ... as is my wont !!!
