LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-05-2014, 01:23 PM   #1
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Rep: Reputation: 45
Bash script that acts as a DNS proxy, except it queries several DNS servers


If every DNS request is not sent to one DNS server but 2 or 3 such servers, then the results can be compared and if they disagree, you get an alert for suspicion of DNS poisoning or interception etc.

Can this be done with a bash script without any messing with C/C++ sources?

What's the bash command to listen to a port for DNS requests?

Last edited by Ulysses_; 03-05-2014 at 01:25 PM.
 
Old 03-05-2014, 01:24 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
http://www.linuxquestions.org/questi...ervers-770338/
 
Old 03-05-2014, 02:37 PM   #3
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
That's for a tool, as in, a binary executable. Here I am asking about a listening command to use in a bash script so the script acts as a daemon.

Last edited by Ulysses_; 03-05-2014 at 02:53 PM.
 
Old 03-05-2014, 03:06 PM   #4
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
You can have netcat listen on port 53 for udp data.

Code:
nc -ul 53
You *might* be able to pull something together to do what you are asking with dnsmasq and its cache-list. But as far as a "DNS proxy" sort of thing that goes out to other DNS servers, compares the results, then reports back the consensus,.. that doesn't exist AFAIK.

Heres some great starter info on Netcat: http://anil.org.in/2009/05/26/netcat...ss-army-knife/
And some on dsnmasq: http://my.safaribooksonline.com/book...asqs_dns_cache

Last edited by szboardstretcher; 03-06-2014 at 11:38 AM.
 
Old 03-05-2014, 04:32 PM   #5
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
Command nc looks promising, at least the text of the domain can be recovered:

sudo nc -ul 53 | od -c -t u1 -w32
0000000 337 344 001 \0 \0 001 \0 \0 \0 \0 \0 001 \t m i c r o s o f t 003 c o m \0 \0 001 \0 001 \0
223 228 1 0 0 1 0 0 0 0 0 1 9 109 105 99 114 111 115 111 102 116 3 99 111 109 0 0 1 0 1 0


The above output appeared when typing "dig microsoft.com" in another shell (after setting 127.0.0.1 as the DNS server of the connection).

The IP returned by "dig microsoft.com" was 64.4.11.37. How can I see this IP before deciding whether to allow it? Another instance of nc?

Last edited by Ulysses_; 03-05-2014 at 04:51 PM.
 
Old 03-05-2014, 04:56 PM   #6
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
Maybe a script could run 3 dig commands in parallel like this:

dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>

and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?

Last edited by Ulysses_; 03-05-2014 at 04:57 PM.
 
Old 03-05-2014, 05:29 PM   #7
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
This guy shows how to do a tcp proxy using nc, and see what's going through after a little filtering with sed:

http://tweakers.net/ext/f/DjjpwPMs1M...J0pnS/full.png

The question is then, once we have decided whether there is consensus, how do we cut the nc fifo to exclude responses that are not acceptable?

Last edited by Ulysses_; 03-05-2014 at 05:31 PM.
 
Old 03-06-2014, 08:04 AM   #8
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: OSX Sierra
Posts: 8,570
Blog Entries: 14

Rep: Reputation: Disabled
Quote:
Originally Posted by Ulysses_ View Post
Maybe a script could run 3 dig commands in parallel like this:

dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>

and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?
something like:
Code:
host -t ns example.com | while read dom ns server; do dig +short $dom; done
may help?
 
Old 03-06-2014, 11:34 AM   #9
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
Don't know what this does. We want to compare results from an arbitrary list of DNS servers, after intercepting a normal DNS query.

Trying the following but this only shows the SENT data that contains the domain name, the RCVD data does not show up. How do you force the DNS query to go through this piping arrangement?

File dns-proxy.sh:

Code:
# create fifo's
mkfifo -m 0600 "$BACK" "$SENT" "$RCVD"

# Keep parsing SENT fifo to get domain name
od -c -w100 <"$SENT" | sed "s/blah blah//g" &

# Keep parsing RCVD fifo to get IP
od -t u1 -w100 <"$RCVD" | sed "s/blah blah//g" &

# Keep listening and piping
nc -ul "$1" <"$BACK" | tee "$SENT" | nc -u "$2" "$3" | tee "$RCVD" >"$BACK"
Why doesn't a DNS query from firefox go through all of these pipes if you set the connection DNS server to 127.0.0.1, type the following and enter a url in firefox?

sudo ./dns-proxy.sh 53 4.2.2.4 53

(4.2.2.4 is google's free DNS server)

Last edited by Ulysses_; 03-06-2014 at 12:07 PM.
 
Old 03-06-2014, 12:13 PM   #10
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
I see where you are going with this, and its certainly approaching a solution to your problem.

But, using 12+ different programs, for each DNS request, is going to get really, really expensive, processor-wise. And also, it will quadruple your DNS traffic. Keep that in mind, if you are thinking of deploying such a thing to your user-environment. My windows servers handle 60 million+ requests in a given day.

Also. 8.8.8.8 is google's dns server. Youll find that 4.2.2.2-4.2.2.8 is actually level3's servers.
 
Old 03-06-2014, 12:24 PM   #11
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
It's only for a single user, using the browser. Can't be too expensive cpu-wise.
 
Old 03-06-2014, 12:31 PM   #12
Ulysses_
Senior Member
 
Registered: Jul 2009
Posts: 1,081

Original Poster
Rep: Reputation: 45
Maybe the system has another DNS server and using that after my 127.0.0.1 DNS server takes too long?

What is the meaning of this stuff in /etc/resolv.conf?

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

This is not localhost, what is this?

Last edited by Ulysses_; 03-06-2014 at 04:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how spoof dns queries from clients and forward it to my dns server ? dr.x Linux - Server 3 10-29-2013 06:45 AM
BIND - reverse dns queries only working locally, forward dns works fine. SloS13 Linux - Networking 3 08-25-2011 12:46 PM
DNS issues, all illegitimate DNS queries resolve to me!??! fast-reflexes Linux - Networking 3 08-17-2010 06:38 AM
IPv6 DNS queries being sent on SLES servers even though disabled by configuration vm_devadas SUSE / openSUSE 0 01-26-2009 03:19 PM
How does a client resolve dns queries with transparent proxy ? amitsharma_26 Linux - Security 5 09-17-2006 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration