Frederic Cambus

Home · Archives · Text Mode · GitHub · Twitter · RSS

Distributing files via DNS


After publishing my Storing ASCII art in the DNS post last year, I've been thinking about using the same method to distribute files.

While transmitting data over DNS is not a new concept, I believe it has never been done using NAPTR records. The well known iodine DNS tunnel uses NULL resource records to transmit binary data, but I wanted something which can be used with standard tools like dig. On this topic, I've recently read the Internet Draft defining the SINK resource record and it seems like it could be used and abused for some fun hacks.

Back to today's topic though. The idea behind this experiment is to encode a given file in base64, and then create a NAPTR record for each line of the ouput.

I used the following shell script to produce the zone file:

base64 rrda-1.01.tar.gz -b 64 | while read line;
    echo $1 'NAPTR' $counter '10 "" "'$line'" "" .'
    let "counter++"

Please note that this snippet was created and tested on Mac OS X. On Linux, the -b option needs to be replaced by -w to wrap encoded lines.

We can query the zone to check the content of NAPTR records:

dig NAPTR +short +tcp

Once we get the NAPTR records content, we can strip the leading and trailing data to get our lines back in the original order, and decode the base64 data to recreate the file.

And here is a one-liner to get the original file back and pipe it through tar:

dig NAPTR +short +tcp | sort | sed -e 's/[0-9]* 10 "" "//g;s/" "" .//g' | base64 --decode | tar xvfz -
For extra points, the zone used to distribute files can be signed with DNSSEC, in order to create a secure file distribution channel. This is left as an exercise to the reader.