DescriptionAlthough the various routes a DNS request could be made through affords some protection, would be good to identify ways to make traffic identification a little harder than writing a RegEx.
Ideally, it should be possible to do without making processing on the listener end too cumbersome. There's a balance to be struck between traffic being identifiable and being able to easily discard irrelevant queries.
Haven't decided yet whether to actually implement any solutions to this issue, though a basic PoC would probably be useful for testing.
Activity
2015-04-23 08:15:15
The best way to make the traffic blend in is probably to look at
adjusting the query strings to be a closer match for FQDN's that are
common (if not user visible) on the net.
CDN's for example often have the user visible domain CNAME'd to a pretty
involved FQDN, so mimicking the schema used by one of those could help
traffic blend in.
On a similar vein, the output of PTR's against ISP routers could give
plausible hostname like patterns which could be mimicked.
The main identifiable element in the current query syntax is that we
have three short labels, followed by a much longer label, followed by
the 'addressee' domain.
It'll always be possible to write a regex to pull the queries out (and
at the moment, we rely on that being the case as we may not be listening
on the nameserver itself), but it'd be good if we can make it harder to
be sure that that Regex will only ever pull out DNSChat traffic.