Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to turn off answers for ANY #2

Open
mubix opened this issue Jan 2, 2014 · 3 comments
Open

Ability to turn off answers for ANY #2

mubix opened this issue Jan 2, 2014 · 3 comments

Comments

@mubix
Copy link

mubix commented Jan 2, 2014

I'd like to be able to turn off the ANY request getting all of the answers.
@iphelix
Copy link
Owner

iphelix commented Jan 2, 2014

The current behavior for ANY requests is DNSChef goes over all specified fake responses for a target domain and will only include those types in the response. For example, DNSChef executed with the following parameters:

dnschef.py --fakeip=127.0.0.1  --fakealias=www.fake.com --fakedomains=thesprawl.org

will result in the following response for type ANY:

host -t ANY thesprawl.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

thesprawl.org has address 127.0.0.1
thesprawl.org is an alias for www.fake.com.

So you could control what is returned to the client by explicitly defining response types. When using an external definition file (e.g. dnschef.ini) you could comment out fields that you do not want to be returned (or faked with individual requests) for the specific domain.

Hope this works for the challenge you are trying to solve, otherwise could you clarify the exact scenario with parameters/domains faked and the expected types in the ANY response.

@mubix
Copy link
Author

mubix commented Jan 3, 2014

Got some malware that does an ANY to see if everything points to the same IP, I've jerry rigged it, but it does some fast flux changing so I don't always catch it correctly. If I could just say in the .ini [ANY] and give results it should give that would be perfect.

@iphelix
Copy link
Owner

iphelix commented Jan 3, 2014

Let me know if I understood the challenge correctly and whether the proposed architectural change would address it.

You are running dnschef to filter the types of records a malware sample receives to requests of type ANY by specifying only let's say A record type so that is all it gets. However with fast flux that --fakeip parameter keeps on changing so that is why you just want to proxy a slightly edited ANY response instead of constantly restarting dnschef with updated IP information.

Currently DNSChef works as either a full proxy or generates a completely fake response, but has no mechanism to modify real DNS responses. Adding logic to actually parse DNS responses (and selectively modify them per rule-set) is a more general feature request that I think among other things would allow slicing up ANY requests.

P.S.
In the meantime, falling back to Scapy would probably work best, because you can literally slice away records from the answers list in the DNS response. Alternatively, you could make dnschef proxy all requests to a local IP address which in turn has a netcat proxy set up to forward to a domain name instead of IP address to hopefully save you from the insanity of following fast flux =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mubix @iphelix