Landon Fuller put together a secret message passing system that exploits a feature of DNS servers. It’s based on a hack first conceived by Dan Kaminsky, which allows you to set a single bit of data by caching a wildcard zone on a cache server:

In each DNS query, 7 bits are reserved for a number of flags, one of which is the Recursion Desired (RD) flag. If set to 0, the queried DNS server will not attempt to recurse — it will only provide answers from its cache.

Combine this with a wildcard zone and it’s possible to signal bits (RD on), and read them (RD off). To set a bit to 1 the sender issues a query with the RD bit on. The wildcard zone resolves all requests, including this query. The receiver then issues a query for the same hostname, with the RD bit off. If the bit is 1, the query will return a valid record. If the bit is 0, no record will be returned.

To send the message, the sender and receiver agree on a DNS server and a big list of secret words. A unique hostname is generated for each word in the list, each of which is used to set one bit of data in a remote DNS server. The receiver can come along at a later date and extract the message from the dead drop by querying those same names. It’s a pretty inefficient way to transfer data, but who ever said secret spy messages needed to be efficient?

You can download Landon’s program from his site. If you want to play with it, I’d recommend either just testing it with a short message or two, or using your own server. As you can imagine, it’s a bit of a resource hog, since it requires a full lookup just to communicate a single bit.

The DNS Dead Drop
Attacking Distributed Systems: The DNS Case Study (PDF)