In DNS Tunneling server use RR (CNAME, TXT, NULL) to send back data to the client. My question is what's the size of response packet and how much data can be sent using DNS response in DNS Tunnel ?
Asked
Active
Viewed 980 times
1 Answers
0
The maximum message size for DNS over UDP is 512 bytes. See RFC 5966 -
whose sizes exceed the DNS protocol's original 512-byte limit.
Or RFC 791
this size allows a data block of 512 octets plus 64 header octets to fit in a datagram
With EDNS (RFC 2671) a marker can be added allowing 4096 bytes - although in practice this often won't be accepted by older equipment / allowed through firewalls.
Alternatively DNS can run over TCP (RFC 5966) which allows unbounded messages.
The size actually used in real world techniques will depend on the payload and the perceived risk of detection from the attackers.
how much data can be sent using DNS response in DNS Tunnel ?
One attempt has (Van Leijenhorst, Chin, Lowe - 2008) was shown that 110 KB/s / 150ms latency could be achieved. I'd imagine that rate comes with a fairly high risk of detection from any organization attempting to monitor for it.
-
How much data can hold TXT, CNAME, and NULL records in the RDATA field? – Claudia Nov 15 '17 at 15:53
-
Nowadays you can even run DNS over TLS and soon over HTTPS – Patrick Mevzek Apr 22 '18 at 22:39
-
@Claudia, per RFC1035 section 3.3, "standard" RR, such as TXT and CNAME (I do not know what NULL records are), are constrained to be character strings of up to 256 characters each. This is why long SPF/DKIM data in TXT is split over multiple records. – Patrick Mevzek Apr 22 '18 at 22:43