Comments (3)
iphelix
commented on August 19, 2024
The current behavior for ANY requests is DNSChef goes over all specified fake responses for a target domain and will only include those types in the response. For example, DNSChef executed with the following parameters:
dnschef.py --fakeip=127.0.0.1 --fakealias=www.fake.com --fakedomains=thesprawl.org
will result in the following response for type ANY:
host -t ANY thesprawl.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
thesprawl.org has address 127.0.0.1
thesprawl.org is an alias for www.fake.com.
So you could control what is returned to the client by explicitly defining response types. When using an external definition file (e.g. dnschef.ini) you could comment out fields that you do not want to be returned (or faked with individual requests) for the specific domain.
Hope this works for the challenge you are trying to solve, otherwise could you clarify the exact scenario with parameters/domains faked and the expected types in the ANY response.
from dnschef.
mubix
commented on August 19, 2024
Got some malware that does an ANY to see if everything points to the same IP, I've jerry rigged it, but it does some fast flux changing so I don't always catch it correctly. If I could just say in the .ini [ANY] and give results it should give that would be perfect.
from dnschef.
iphelix
commented on August 19, 2024
Let me know if I understood the challenge correctly and whether the proposed architectural change would address it.
You are running dnschef to filter the types of records a malware sample receives to requests of type ANY by specifying only let's say A record type so that is all it gets. However with fast flux that --fakeip parameter keeps on changing so that is why you just want to proxy a slightly edited ANY response instead of constantly restarting dnschef with updated IP information.
Currently DNSChef works as either a full proxy or generates a completely fake response, but has no mechanism to modify real DNS responses. Adding logic to actually parse DNS responses (and selectively modify them per rule-set) is a more general feature request that I think among other things would allow slicing up ANY requests.
P.S.
In the meantime, falling back to Scapy would probably work best, because you can literally slice away records from the answers list in the DNS response. Alternatively, you could make dnschef proxy all requests to a local IP address which in turn has a netcat proxy set up to forward to a domain name instead of IP address to hopefully save you from the insanity of following fast flux =)
from dnschef.
Related Issues (20)
- Failed to open log file for writing, HOT 7
- Unexpected Error:
- Two or more records per domain HOT 3
- "Could not proxy request: timed out" for 99% responses
- Proxying problem HOT 3
- TypeError with --truedomains HOT 1
- Can't run dnschef.py HOT 5
- Syntax Errors HOT 3
- Multiple SRV records with different port and target not allowed HOT 5
- dnslib.dns.DNSError: QTYPE: Invalid forward lookup: [65] HOT 1
- -q still give output for everything
- Question: filter or reject unwanted query HOT 1
- Does this tool support 0x20 encoding?
- Seeking to update DNSChef.exe from version 0.3 to version 0.4.6.2
- No permission HOT 1
- Error using ngrok to defeat hostname verification HOT 4
- Support of SRV records HOT 8
- Listen on UDP, proxy over TCP HOT 2
- [Errno 98] Address already in use
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnschef.