[avidiax]

Why limit ourselves to ping, when all of DNS is available for exploitation.

If we are willing to run an authoritative DNS server, we can simply find open DNS resolvers, then query TXT records from our own domain, with a suitably near-infinite TTL. It's free real estate^H^H^H^H^H^H^H^H^H^H^H storage.

Perhaps that's not hard enough for harder drives. We can do the same thing, except use NX records from an arbitrary domain as the storage medium. We can query e.g. a01234-somedatahere.example.com, which will produce an NX record in the resolving DNS server. We can later "read" this data by issuing the same query and seeing that the TTL is not the original NX TTL of example.com. This is a destructive read process, so we will need to immediately write whatever we read, but suitably altered to avoid a collision, e.g. a01235-somedatahere.example.com.

[anyfoo]

Great idea, and pretty much exactly how DNS tunnels work (only there you want the TTL to avoid caching--through an explicit 0 TTL or changing names--because you want to exchange every packet only once except for retransmits).

However, I'm not sure it's fair to talk about "limiting ourselves to ping", as I'd argue that there are vastly more generic hosts replying to ICMP echo than there are open DNS resolvers (which I know includes all openly available nameservers). I believe the video also has shown that the number of pingable hosts pretty much approaches the number of hosts with an external IPv4 in the first place, at least the map he's shown looked lighter than dark to me.