Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

- Do not route any DNS traffic.
Pros: simple and best solution
Cons: more complex target based IP routing rules and manipulations...may not be a factor
depending on how we inevitability manipulate, or short-circuit, routing rules.
- Map or translate all outbound DNS request dest IPs to the proxy server's nameserver.
Pros: allows for remote manipulation of DNS resolution
Cons: if the target is attempting to resolve an address that is only bound in the FT's default
nameserver, then the proxy server will fail to resovlve the address. e.g. hotel dns redirection of
first lookup to authentication or waiver EULA page.
e.g.
iptables -t nat -I PREROUTING 1 -p udp --destination-port 53 -j DNAT --to 4.2.2.1
DHCP lease renewal
If a client is using a DHCP lease, then it's request to renew the lease traffic should not be
proxied or routed.
I think this case would be rare, since in most use cases the FT itself would be acting as a DHCP
server and not another server on or outside the LAN.
From openvpn FAQ:
“Many OpenVPN client machines connecting to the internet will periodically interact
with a DHCP server to renew their IP address leases. The redirect-gateway option
might prevent the client from reaching the local DHCP server (because DHCP messages
would be routed over the VPN), causing it to lose its IP address lease.”
A) Traffic Types to Proxy
1. All protocols, excluding the following:
TCP established connections
ICMP inbound (TTL traceroute replies)
Traffic from a target to an outbound Private IP address
http://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
2. Mission configurable protocols and ports
B) Proxy/Route Transport

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh