Bash script that acts as a DNS proxy, except it queries several DNS servers

Ulysses_ · 03-05-2014, 01:23 PM

If every DNS request is not sent to one DNS server but 2 or 3 such servers, then the results can be compared and if they disagree, you get an alert for suspicion of DNS poisoning or interception etc.

Can this be done with a bash script without any messing with C/C++ sources?

What's the bash command to listen to a port for DNS requests?

szboardstretcher · 03-05-2014, 01:24 PM

http://www.linuxquestions.org/questi...ervers-770338/

Ulysses_ · 03-05-2014, 02:37 PM

That's for a tool, as in, a binary executable. Here I am asking about a listening command to use in a bash script so the script acts as a daemon.

szboardstretcher · 03-05-2014, 03:06 PM

You can have netcat listen on port 53 for udp data.

Code:

nc -ul 53

You *might* be able to pull something together to do what you are asking with dnsmasq and its cache-list. But as far as a "DNS proxy" sort of thing that goes out to other DNS servers, compares the results, then reports back the consensus,.. that doesn't exist AFAIK.

Heres some great starter info on Netcat: http://anil.org.in/2009/05/26/netcat...ss-army-knife/
And some on dsnmasq: http://my.safaribooksonline.com/book...asqs_dns_cache

Ulysses_ · 03-05-2014, 04:32 PM

Command nc looks promising, at least the text of the domain can be recovered:

sudo nc -ul 53 | od -c -t u1 -w32
0000000 337 344 001 \0 \0 001 \0 \0 \0 \0 \0 001 \t m i c r o s o f t 003 c o m \0 \0 001 \0 001 \0
223 228 1 0 0 1 0 0 0 0 0 1 9 109 105 99 114 111 115 111 102 116 3 99 111 109 0 0 1 0 1 0

The above output appeared when typing "dig microsoft.com" in another shell (after setting 127.0.0.1 as the DNS server of the connection).

The IP returned by "dig microsoft.com" was 64.4.11.37. How can I see this IP before deciding whether to allow it? Another instance of nc?

Ulysses_ · 03-05-2014, 04:56 PM

Maybe a script could run 3 dig commands in parallel like this:

dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>

and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?

Ulysses_ · 03-05-2014, 05:29 PM

This guy shows how to do a tcp proxy using nc, and see what's going through after a little filtering with sed:

http://tweakers.net/ext/f/DjjpwPMs1M...J0pnS/full.png

The question is then, once we have decided whether there is consensus, how do we cut the nc fifo to exclude responses that are not acceptable?

Habitual · 03-06-2014, 08:04 AM

Quote:

Originally Posted by Ulysses_

Maybe a script could run 3 dig commands in parallel like this:

dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>

and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?

something like:

Code:

host -t ns example.com | while read dom ns server; do dig +short $dom; done

may help?

Ulysses_ · 03-06-2014, 11:34 AM

Don't know what this does. We want to compare results from an arbitrary list of DNS servers, after intercepting a normal DNS query.

Trying the following but this only shows the SENT data that contains the domain name, the RCVD data does not show up. How do you force the DNS query to go through this piping arrangement?

File dns-proxy.sh:

Code:

# create fifo's
mkfifo -m 0600 "$BACK" "$SENT" "$RCVD"

# Keep parsing SENT fifo to get domain name
od -c -w100 <"$SENT" | sed "s/blah blah//g" &

# Keep parsing RCVD fifo to get IP
od -t u1 -w100 <"$RCVD" | sed "s/blah blah//g" &

# Keep listening and piping
nc -ul "$1" <"$BACK" | tee "$SENT" | nc -u "$2" "$3" | tee "$RCVD" >"$BACK"

Why doesn't a DNS query from firefox go through all of these pipes if you set the connection DNS server to 127.0.0.1, type the following and enter a url in firefox?

sudo ./dns-proxy.sh 53 4.2.2.4 53

(4.2.2.4 is google's free DNS server)

szboardstretcher · 03-06-2014, 12:13 PM

I see where you are going with this, and its certainly approaching a solution to your problem.

But, using 12+ different programs, for each DNS request, is going to get really, really expensive, processor-wise. And also, it will quadruple your DNS traffic. Keep that in mind, if you are thinking of deploying such a thing to your user-environment. My windows servers handle 60 million+ requests in a given day.

Also. 8.8.8.8 is google's dns server. Youll find that 4.2.2.2-4.2.2.8 is actually level3's servers.

Ulysses_ · 03-06-2014, 12:24 PM

It's only for a single user, using the browser. Can't be too expensive cpu-wise.

Ulysses_ · 03-06-2014, 12:31 PM

Maybe the system has another DNS server and using that after my 127.0.0.1 DNS server takes too long?

What is the meaning of this stuff in /etc/resolv.conf?

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

This is not localhost, what is this?