Dnslogger

From SkullSecurity
Revision as of 04:28, 21 February 2010 by Ron (talk | contribs)
Jump to navigation Jump to search

This is an incredibly simple program, but it also incredibly useful. Essentially, it logs any DNS request it receives to stdout and responds with 'unknown domain' by default. Alternatively, it can be told to respond with a static IP address (IPv4 or IPv6).

Whenever a DNS request is seen, it prints the request and responds with a NXDOMAIN (that is to say, 'domain not found'). To the source program, there is no evidence that a server even exists or that the request was acknowledged. For example, let's say you're running a dnslogger server on skullseclabs.org. When somebody tries to * ping that domain, it looks like this:

$ ping www.skullseclabs.org
ping: unknown host www.skullseclabs.org

More than likely, the person will assume that nothing is there and continue on. However, we see the request:

 
# ./dnslogger
Question 0: www.skullseclabs.org (0x0001 0x0001)
Question 0: www.skullseclabs.org (0x0001 0x0001)

There are many potential uses for dnslogger. Some that come to mind are:

  • Finding open proxies without making an actual connection through it
  • Finding open mail relays without sending an email through it
  • Finding shell injection on a Web application without outbound traffic or delays
  • Checking if a user visited a certain page

In addition to simple logging, the ability to set A or AAAA records opens many options:

  • Redirecting users if you control their DNS server
  • Investigating malware that connects to a remote host
  • Redirecting a legitimate program to your own server

This tool assumes that the authoritative record for a DNS server points to you. You can check if you do either by running 'dnsxss --test <domain>' or by using the 'dnstest' program directly.