> Once upon a time, a government auditor insisted to me that keystroke loggers had to run as root, otherwise they would not function properly. So, I wrote a keystroke logger that ran as a normal user and showed it to him.
> He wasn’t amused. He said that I was violating government IT policy by demonstrating the program to him.
I once had a government inspector write us up because the secondary containment for our waste solvents was plastic, not stainless steel (the instruments emitted the solvents into glass containers, so this is just for spillage or minor overflows). I pointed out that these solvents were highly reactive with metals and our safety officer had specified plastic. She didn't care, so we got a ticket.
I went and got some stainless steel pans and placed the plastic containers inside them. Then I wrote back that I had purchased the steel pans and that the glass collection vessels were now enclosed with the steel pans. They canceled the ticket.
Generally I'm in favor of safety regulations but sometimes the enforcers are nuts. This was not the only such run in I've had.
Worth mentioning the Iodine project which allows for arbitrary IPv4 to be tunnelled over DNS, which can be useful on a few different restrictive networks.
I'm running one on an older RPi at home. Never really "needed" it, but sending text messages for free from an airplane wifi somewhere above the atlantic ocean felt like a nice nerdy flex.
I've seen it work on most wifi networks where you need to log in (or check a box) on a web portal before access. Basically anything that uses HTTP redirect captive portals will probably work, as UDP port 53 isn't blocked.
For a variation of this technique see this handy privacy-preserving metrics collection golang library that uses DNS: https://github.com/Jigsaw-Code/choir
Currently used by the Jigsaw group at Google to collect metrics from behind censoring ISPs.
Thinkst Canary use DNS tunnelling to facilitate comms with honeypots. DNS tunnelling a great way to monitor activity on controlled access networks without opening ports and substantially expanding the attack surface.
I think an allow-based DNS RPZ policy could potentially address this. If you could define the names that clients ought to talk to. It maybe a moving target, but worth trying.
I had fun a few years ago bypassing captive portals using iodine to tunnel traffic over DNS. However, now that I'm professionally on the defensive side, this was one of the methods of data exfiltration that was really hard to block on AWS until recently. While GuardDuty may trigger on reckless usages of such approach, more cautious ones are slipping under the radar and preventing them implied replacing Route53 by a custom solution (pretty unpractical). Thankfully, AWS recently allowed access to Route53 logs (https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-wi...) that can be monitored to spot abnormal behavior.
You don't need that. TTL zero and dns query header IDs are enough. You could even implement a threaded chat, using the id as a responded-to sorting mechanism.
Also, TXT can contain binary data, and when using DNS over TCP is pretty much unlimited in frame size.
If you're using DNS over TLS (or HTTPS, whatever) to the origin, sure third parties are limited.
If you're doing DNS over TLS to a public resolver that then transmits to an origin, that resolver is a third party that can see requests and responses.
In the text-only browser I use I disable dns-prefetch by editing the source code. It may be possible to disable dns-prefetch in Firefox through configs.^1 Good luck with other browsers.
> He wasn’t amused. He said that I was violating government IT policy by demonstrating the program to him.
I once had a government inspector write us up because the secondary containment for our waste solvents was plastic, not stainless steel (the instruments emitted the solvents into glass containers, so this is just for spillage or minor overflows). I pointed out that these solvents were highly reactive with metals and our safety officer had specified plastic. She didn't care, so we got a ticket.
I went and got some stainless steel pans and placed the plastic containers inside them. Then I wrote back that I had purchased the steel pans and that the glass collection vessels were now enclosed with the steel pans. They canceled the ticket.
Generally I'm in favor of safety regulations but sometimes the enforcers are nuts. This was not the only such run in I've had.