I should clarify I wasn’t a upper level sys admin managing those servers, I just used them or maintained accounts being a rank and file technician

While I get the fundamental concept of DNS as a phonebook for your IPs. I am not sure why it is joked around if something goes haywire or someone breaks something.

Is it because if you get no DNS, people can’t log in through their AD accounts, browse the Internet?

Afaik DNS is a bit of a rabbit hole topic, maybe that’s why people joke about it due to DNS being this “No one really knows how this magic name matching box works”?

Please correct me, I’d genuinely like to know why this is prevalent from you guys.

  • archomrade [he/him]@midwest.social
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    I’m trying to digest this

    You’re saying he was stealing data from the target server by appending it line-by-line to dns requests sent to his nameserver? Wouldn’t he have needed to both be on the target server and already have access to the data?

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 months ago

      Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.

      This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.

      • archomrade [he/him]@midwest.social
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        3 months ago

        Ah, ok, that makes sense! So there was a separate bug in the framework that granted him limited remote access, but because the server had tight control over outbound connections he had to use a novel way of getting the data back out

        Basically: He crawled in through the sewer and then robbed the bank one stack of bills at a time via pigeon courier.

    • JackbyDev
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      Yes, but it’s not necessarily as simple as having full ssh access or something like that. Plus getting data out by DNS queries is probably much harder to detect than something like sftp or http posts.

    • PlexSheep@infosec.pub
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Could be used to exfiltrate data when you only can make commands, but not see their output. There might be other and easier exfiltration possibilities then, but this is a creative solution that uses a very common protocol and will probably be available on any machine.