Hello and welcome to the Thursday, September 11th,

2020-5 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

penetration testing and ethical hacking. Well, today's diary was inspired by a story I covered

last week about botnet that used DNS for remote command and control, but they encoded the commands using base 64.

Did he today notice, well, hey, base 64 actually contains a couple characters like the slash

and the equal symbol that must not show up in DNS host names.

So how did they actually do it? Well, it turns out as so often

that sometimes things that aren't supposed to work still work under certain circumstances.

And what did he found out is that, for example, NS Lookup. If some of these odd characters

are being returned, well, it works just fine with NS lookup.

This is actually an important lesson that I often cover when I'm talking about web application security,

that you can't really trust that protocols like DNS only return valid content.

I think it was a few years ago I've written about this and maybe I have to write about

it again because I'm not sure where it ended up.

But for example, it is certainly possible to do things like SQL injection and cross-site

scripting over DNS.

If you're not careful in cleaning up and validating responses,

you're getting back via DNS, very famously, who is, of course.

Now, that's just plain text.

There are a number of who is entries that have existed in the past with exploits in

...