You never know what you'll be breaking, but you always know you'll be paying for support calls.
On Fri, Oct 7, 2011 at 12:38 PM, Hartley, Christopher <[email protected]>wrote: > I would think that at minimum, thresholds could be set on how many names to > resolve, and permitted types for unauthenticated users. Prohibit NULL and > TXT records for unauthenticated hosts - or just whitelist A and CNAMEs, > reject others. Reject the 50th (or whatever) query from an unauthenticated > host/user... I don't think NACs are using DNS tricks in the main anymore > anyway. They shouldn't be... there are much better ways. > > That said, I'm happy for this condition to exist permanently so long as I'm > not responsible for the traffic. > > > On Oct 7, 2011, at 10:26 AM, James Wright wrote: > > Actually, yes, they could provide bad data. I believe (perhaps > erroneously) that Comcast does this. Probably other service providers do > too. Until you are authenticated to use their network you are redirected to > a service page that can help authenticate you. If you have connectivity > issues (like bad cached DNS entries) after authenticating you are to reboot > (or otherwise clear the local DNS cache). > > I don't really see why Verizon could not do similar. All DNS traffic from > an unauthenticated user/machine would be redirected to a DNS server that > only returned the appropriate service page. Most or all other traffic would > be blocked. Much like NAC. > > > Thanks, > James > > > On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <[email protected]> wrote: > >> One major reason it sticks around is -- what are you supposed to do, >> return bad data until the user is properly logged in? It might get cached >> -- and while operating systems respect TTL, browsers most assuredly do not >> ("well, it MIGHT take us somewhere good"). >> >> It's not like there's a magic off switch that makes this go away. >> >> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker < >> [email protected]> wrote: >> >>> Yes, I've found that DNS tunneling works well at the college I go to on >>> their WIFI. I've never gotten ICMP tunneling to work myself (outside of a >>> virtual machine), but I have some code laying around somewhere that can do >>> it just in case I need it for something sometime. Just thought it would be >>> interesting to some people that it works on such a large provider as >>> Verizon. The only problem with it that I see is that it's quite slow. But >>> if it works, so be it. Good for checking email and browsing the web and >>> such on the road. But I wouldn't try to torrent a linux distro with it, >>> haha. >>> >>> --oxagast >>> >>> On Fri, Oct 7, 2011 at 7:39 AM, BH <[email protected]> wrote: >>> >>>> This comes in handy when travelling, I also found a few places where >>>> ICMP tunnelling works well. >>>> >>>> >>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote: >>>> >>>> Works mostly everywhere. It's apparently enough of a pain in the butt >>>> to deal with, and abused so infrequently, that it's left alone. >>>> >>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker < >>>> [email protected]> wrote: >>>> >>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine) >>>>> to penetrate Verizon Wireless' firewall. You can connect, and if you can >>>>> hold the connection long enough to make a DNS tunnel, then the connection >>>>> stays up, then use SSH -D to create a proxy server for your traffic. >>>>> Bottom >>>>> line is, you can use the internet without paying. I made a video of it. >>>>> It >>>>> can be seen here: >>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I >>>>> tried to contact Verizon on their security blog about it a few weeks ago >>>>> at >>>>> http://securityblog.verizonbusiness.com/ however, I have not had a >>>>> response. This technique still works as of this posting. Maybe this will >>>>> help them get their act together ;-) >>>>> >>>>> --oxagast >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
