Re: IN TXT & NULL trash records

Thu, 22 Nov 2018 07:14:19 -0800

I have read the following story about VPN tunnelling over port 53 at a mobile carrier but that is related to routing and I would trust that unbound is not the tool/place to control/analyse routing or be in charge of network traffic/package payload control, though bind features >  rate-limit { responses-per-second ;    } <

Back in 2015 I discovered by accident that VPN traffic through port 53 on Verizon was not monitored by whatever they use to calculate data usage. Even better, it worked on deactivated sim cards for a few months after they were deactivated. Basically this meant I could dig around in the local Verizon store's dumpster every few months to find sim cards, pop them into a portable hotspot, and use a VPN over 53 for completely free, unthrottled data on Verizon without even having an account with them. I was a broke high school student and my parents wouldn't allow me to have service on my phone at the time so this was a life saver. 

Fast forward to a couple months ago, someone else gets root on the mifi 6620L, finds the loophole, and decides to sell mifi's with a VPN client or proxy installed that redirected everything through port 53. Basically resulting in a seamless experience for free unlimited data. These hacked devices sold for $300+ on eBay. Of course, after it was in the wild Verizon started DPIing port 53 and now nothing gets through. 


On 22.11.2018 15:07,  via Unbound-users wrote:
I happened to hear from some DNS operators at some mobile carriers the other day who are scratching their heads about DNS tunnelling; they zero-rate DNS traffic for a variety of sensible reasons, but some of their more cunning customers have noticed that if they stop caring so much about performance, zero-rating DNS traffic can be turned into zero-rated mobile data. 
It sounds like outlier identification (to find the unusually talkative mobile terminals) and rate-limiting (to make tunnelling painful without stamping too hard on DNS resolution) are the tools people have to work with. It might be nice if there were some convenient recipes for tuning unbound to do that kind of thing (from the perspective of the DNS operator/carrier, I guess, not the mobile terminal user).


Joe

Reply via email to