[TriLUG] using sshd tunnelling for dns request

Clay Stuckey claystuckey at gmail.com
Wed Jan 27 21:03:57 EST 2010 

Even if it is not NIPRNET, and it is a camp-wide wifi network intended  
for the morale of the troops, there are always policies in place and  
typically with good reason. Use of non-dod web-based email is  
prohibited. All soldiers are issued email accounts that can be used to  
communicate with family and friends. Sites such as skype, gmail,  
hotmail and things like that are prohibited because it does not allow  
the DoD to protect not only the local machines but also monitor  
activity and filter traffic. I know this is where some people may go  
"1984" on me. I am sure that if you have family deployed, you don't  
want someone else to relay troop movements back home to grandma and  
have the bad guys catch the info. Also regarding DNS, that is a real  
big deal because there is a huge DNS black hole list that the DoD  
maintains. This helps to prevent our boys from unknowingly accessing a  
malicious site.

I have seen the good, the bad and the ugly when it comes to  
information security in the DoD. It is absolutely there for a reason.  
While they sometimes miss the mark, they hit it most of the time. To  
tunnel or proxy any traffic is going to be a violation of DoD policy  
and will open up potential security risks. I know this is most likely  
a personal use network but sensitive information has a tendency to  
become mobile. For this reason, the DoD extends some of its  
information security policy to these MWR networks.

If the DNS server is unreliable due to outages, the problem can be  
resolved. If it is unreliable because some sites are filtered out,  
that is an issue that you will have to take up with the local IA team.  
If there is a specific site, ask them about it. There is a small  
possibility that it has been blacklisted in error. I have seen cases  
like these in the DNS for the US Naval Fleet as well as an Army camp  
in Africa. Once I found the errors, I was able to verify/document that  
they were not on the official DNS Black Hole List and have the entries  
removed.

Clay Stuckey


>>
>>
> Wifi suggests this is not a military network, but rather a camp wide  
> network
> put on by an AAFES sub-contractor.  Chip, if it is local-national  
> run, it
> would be best if you sent him a live linux CD instead of XP.  Just my
> opinion.

More information about the TriLUG mailing list