Can it Resolve DOOM? Game Engine in 2,000 DNS Records – blog.rice.is

Summary

If you’ve ever poked at one of my CTF challenges, you’ve probably noticed a pattern - I love hiding payloads in TXT DNS records. I stash the malicious code in a TXT record, have the implant query for it at runtime, and now suddenly the payload is being delivered by the same infrastructure that resolves grandmas-cookie-recipes.com. It’s trivially easy to set up and surprisingly annoying to catch forensically, because who’s flagging the historic contents of TXT records? I’ve always suspected the technique could go further than staging shellcode. TXT records are just arbitrary text fields with no validation. If you can store a payload, you can store a file. If you can store a file, you can store a program. And if you can store a program… well, it can probably run DOOM. WTF is DNS For the blissfully uninitiated, DNS is the system that turns domain names into IP addresses. You type google.com and DNS tells your browser where to go. It’s one of the oldest protocols on the internet and it is deeply, profoundly boring. But DNS also supports TXT records, these little text fields originally intended for things like email authentication. The key word there is “intended.” Nobody actually validates what you put in them. You can write whatever you want - a love letter, a recipe, or in this case base64-encoded binary data. Each TXT record can hold about 2,000 characters of text. A single DNS zone can support thousands of records. Public DNS is also globally distributed, cached at edge nodes all over the world, and publicly queryable by anyone with an internet connection. It is (if you squint hard enough) a free, worldwide, serverless key-value store. Naturally, I wanted to store my movie collection in it. Duck.jpg The proof of concept was shockingly easy. Take a file, Base64-encode it, split it into chunks, and upload each chunk as a TXT record. Add a metadata record so the reassembly script knows how to put it back together, and that’s it. I tested it with a picture of a duck and...