Jump to content

Recommended Posts

Posted

WhiteDNS

WhiteDNS is something I've been working on for a few days now. It's basically a small DNS server that only serves domains it knows/has listed. A whitelisting DNS server, hence WhiteDNS.

Link to the Github repo is here.

Instead of explaining everything it can do, I'll just provide examples of queries to this DNS server. The main documentation is in the python script itself and there is a bit on the Github.

If I query "test" using nslookup..

[ SERVER SIDE ]

# test isn't in ROUTES therefore only responds with a preset IP

if query not in ROUTES then
	return 127.0.0.1
[ CLIENT SIDE ]

QUERY:
nslookup test 127.0.0.1 # Assuming server is hosted on local PC

OUTPUT:
Non-authoritative answer:
Server: test
Addresses: 127.0.0.1

If I give "test" a corresponding IP then query "test" using nslookup..

[ SERVER SIDE ]

# test is in ROUTES therefore responds with corresponding IP

test. -> 192.168.1.10

if query not in ROUTES then
	return 127.0.0.1

if query is in ROUTES then
	return query's set IP (192.168.1.10)
[ CLIENT SIDE ]

QUERY:
nslookup test 127.0.0.1 # Assuming server is hosted on local PC

OUTPUT:
Non-authoritative answer:
Server: test
Addresses: 192.168.1.10

What if the querier is under a company domain or some other domain? Won't it come up with this super long domain name that the server can't recognise? Well, yes, you are correct. However, you are also not..
Example: If I query "test" and my PC is under the domain "company.local" this is what happens:

[ SERVER SIDE ]

# test is in ROUTES therefore responds with corresponding IP

test -> 192.168.1.10 # notice how I removed the '.' here as well

string = first bit of query (test.company.local.)

if string not in ROUTES then
	return 127.0.0.1

if string is in ROUTES then
	return query's set IP (192.168.1.10)
[ CLIENT SIDE ]

QUERY:
nslookup test 127.0.0.1 # Assuming server is hosted on local PC

OUTPUT:
Non-authoritative answer:
Server: test.company.local
Addresses: 192.168.1.10

 

This server can potentially be made into a payload and served on the Bunny for all your DNS pentesting needs. That was my end goal and now that I've done the hard part I figured I would release this as a python server and let others create payloads on it. Because it is a whitelisting server you can set the primary DNS server on a PC to the Bunny (which is hosting the server) and block any phone-homes made by the PC allowing you to basically ignore the rest of the network's hostnames. Or you could collect them all or change them all to go through the Bunny instead..or reset all the hostnames to go to a specific IP (does that already, really..). Possibilities are as far as a DNS server goes! :P

I hope this helps someone achieves their DNS pentesting dreams or even helps you understand how a DNS server works. Keep in mind though, this is a very simple DNS server and only responds with generic answers. It can't handle ridiculously complex DNS queries - not that many internal queries require that.

  • Like 1
  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...