Giter Site home page Giter Site logo

nsidenumerator's Introduction

NSID enumerator: show DNS servers behind anycast IPs using NSID

NOTE: there is a Go implementation in the experimental/ subfolder

As simple as that: run DNS queries towards an anycast-enabled, NSID-enabled DNS server (e.g. the root servers) to know what the backend servers are. Leverage ECMP (Equal-Cost MultiPath) for the enumeration.

This tool uses NSID to get the backend server name, which is in-band in any regular DNS query. See --id-server if you want to also run a CHAOS/TXT id.server. query.

Dependencies

  • Python 3
  • dnspython

Example:

Enumeration

Enumerate the backend servers behind k.root-servers.net. using 10 paths:

$ ./nsidenumerator.py k.root-servers.net -e 10
Enumerating 10 paths
Found 3 servers
b'ns1.gb-lon.k.ripe.net'
b'ns2.gb-lon.k.ripe.net'
b'ns3.gb-lon.k.ripe.net'

## Statistics
Total DNS queries      : 10
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none

Server ID

You can specify -I/--id-server to also specify an id.server payload, i.e. qtype TXT, qclass CHAOS and qname id.server.. This option is useful if the target does not support NSID but it replies to TXT/CHAOS queries. The tool will show additional information:

$ ./nsidenumerator.py -I -e 10 9.9.9.9 
Warning: using --id-server overrides qname, qclass and qtype
Enumerating 10 paths
Found 0 servers (target not supporting NSID?)
Showing id.server results:
b'res100.ams.rrdns.pch.net'
b'res200.ams.rrdns.pch.net'
b'res300.ams.rrdns.pch.net'

## Statistics
Total DNS queries      : 10
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none

Single query

One query (hence one path and one backend server), source port 12345, verbose mode:

$ ./nsidenumerator.py k.root-servers.net -v
DNS query to k.root-servers.net(193.0.14.129). Qname: '.', qtype: A, qclass: IN, sport: 12345, dport: 53, timeout 1.0
Found 1 servers
b'ns2.gb-lon.k.ripe.net'

## Statistics
Total DNS queries      : 1
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none

Usage

$ ./nsidenumerator.py --help
usage: nsidenumerator.py [-h] [-n QNAME] [-t QTYPE] [-c {IN,CH}] [-T TIMEOUT]
                         [-s SPORT] [-d DPORT] [-e ENUMERATE] [-I] [-v] [-q]
                         target

positional arguments:
  target                The target DNS server.

optional arguments:
  -h, --help            show this help message and exit
  -n QNAME, --qname QNAME
                        The DNS name to query for. Default: '.'
  -t QTYPE, --qtype QTYPE
                        Query type to use. Default: A
  -c {IN,CH}, --qclass {IN,CH}
                        Query class to use. Default: IN
  -T TIMEOUT, --timeout TIMEOUT
                        Timeout before the DNS request expires
  -s SPORT, --sport SPORT
                        The UDP source port to use for the query. Default:
                        12345
  -d DPORT, --dport DPORT
                        The UDP destination port to use for the query.
                        Default: 53
  -e ENUMERATE, --enumerate ENUMERATE
                        Enumerate DNS servers using the specified number of
                        paths. Default: None
  -I, --id-server       Run a CHAOS TXT id.server. query along with NSID, and
                        match the answers
  -v, --verbose         Print verbose output. Default: False
  -q, --quiet           Print the minimum necessary information. Default:
                        False

nsidenumerator's People

Contributors

insomniacslk avatar

Stargazers

Leyao Nie avatar avatar Craig Collins avatar avatar Doru Carastan avatar Patrik Wallström avatar Jan avatar Theo Baschak avatar binaryflesh avatar Konstantin Novakovskii avatar

Watchers

avatar avatar

Forkers

tbaschak superman-sun

nsidenumerator's Issues

RIPE Atlas

Yopu can also note this is doable with the network of RIPE Atlas probes. Thanks to the API, it is easy to automate it. For instance:

% atlas-resolve -r 10 --nsid -e k.root-servers.net -t TXT .

Nameserver k.root-servers.net
[NSID: ns1.pl-gdy.k.ripe.net] : 1 occurrences 
[NSID: ns2.nl-ams.k.ripe.net] : 1 occurrences 
[NSID: ns1.de-kae.k.ripe.net] : 1 occurrences 
[NSID: ns3.nl-ams.k.ripe.net] : 2 occurrences 
[NSID: ns2.gb-lon.k.ripe.net] : 1 occurrences 
[NSID: ns1.bg-sof.k.ripe.net] : 1 occurrences 
[NSID: ns1.fr-par.k.ripe.net] : 1 occurrences 
[NSID: ns1.nl-ams.k.ripe.net] : 1 occurrences 
Test #10099383 done at 2017-10-30T15:20:29Z

The good thing is that you can select probes per AS, per prefix or per country. Here, we ask only Brazil:

% atlas-resolve -r 10 --country BR --nsid -e k.root-servers.net -t TXT .

Nameserver k.root-servers.net
[NSID: ns2.us-mia.k.ripe.net] : 3 occurrences 
[NSID: ns3.us-mia.k.ripe.net] : 3 occurrences 
[NSID: ns2.gb-lon.k.ripe.net] : 1 occurrences 
[NSID: ns1.us-mia.k.ripe.net] : 2 occurrences 
Test #10099409 done at 2017-10-30T15:24:58Z

-4 and -6 options?

This is a fabulous utility.

Since DNS resolution is supported for target, it might be handy to have a -4 and -6 options to force IPv4 or IPv6 for the target.

My output:

$ python3 nsidenumerator.py b.root-servers.net
Found 1 servers
b'b2-lax'

## Statistics
Total DNS queries      : 1
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none

I was wondering which protocol this hit, so I had run again each time for the v4 and v6 addresses.

$ python3 nsidenumerator.py 199.9.14.201
Found 1 servers
b'b2-lax'

## Statistics
Total DNS queries      : 1
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none
$ python3 nsidenumerator.py 2001:500:200::b
Found 1 servers
b'b2-mia'

## Statistics
Total DNS queries      : 1
Timeouts               : 0
Percent failed queries : 0.00

## Warnings
    none

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.