Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-05-2014, 02:23 PM
|
#1
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Rep:
|
Bash script that acts as a DNS proxy, except it queries several DNS servers
If every DNS request is not sent to one DNS server but 2 or 3 such servers, then the results can be compared and if they disagree, you get an alert for suspicion of DNS poisoning or interception etc.
Can this be done with a bash script without any messing with C/C++ sources?
What's the bash command to listen to a port for DNS requests?
Last edited by Ulysses_; 03-05-2014 at 02:25 PM.
|
|
|
03-05-2014, 02:24 PM
|
#2
|
Senior Member
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278
|
|
|
|
03-05-2014, 03:37 PM
|
#3
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
That's for a tool, as in, a binary executable. Here I am asking about a listening command to use in a bash script so the script acts as a daemon.
Last edited by Ulysses_; 03-05-2014 at 03:53 PM.
|
|
|
03-05-2014, 04:06 PM
|
#4
|
Senior Member
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278
|
You can have netcat listen on port 53 for udp data.
You *might* be able to pull something together to do what you are asking with dnsmasq and its cache-list. But as far as a "DNS proxy" sort of thing that goes out to other DNS servers, compares the results, then reports back the consensus,.. that doesn't exist AFAIK.
Heres some great starter info on Netcat: http://anil.org.in/2009/05/26/netcat...ss-army-knife/
And some on dsnmasq: http://my.safaribooksonline.com/book...asqs_dns_cache
Last edited by szboardstretcher; 03-06-2014 at 12:38 PM.
|
|
|
03-05-2014, 05:32 PM
|
#5
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
Command nc looks promising, at least the text of the domain can be recovered:
sudo nc -ul 53 | od -c -t u1 -w32
0000000 337 344 001 \0 \0 001 \0 \0 \0 \0 \0 001 \t m i c r o s o f t 003 c o m \0 \0 001 \0 001 \0
223 228 1 0 0 1 0 0 0 0 0 1 9 109 105 99 114 111 115 111 102 116 3 99 111 109 0 0 1 0 1 0
The above output appeared when typing "dig microsoft.com" in another shell (after setting 127.0.0.1 as the DNS server of the connection).
The IP returned by "dig microsoft.com" was 64.4.11.37. How can I see this IP before deciding whether to allow it? Another instance of nc?
Last edited by Ulysses_; 03-05-2014 at 05:51 PM.
|
|
|
03-05-2014, 05:56 PM
|
#6
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
Maybe a script could run 3 dig commands in parallel like this:
dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>
and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?
Last edited by Ulysses_; 03-05-2014 at 05:57 PM.
|
|
|
03-05-2014, 06:29 PM
|
#7
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
This guy shows how to do a tcp proxy using nc, and see what's going through after a little filtering with sed:
http://tweakers.net/ext/f/DjjpwPMs1M...J0pnS/full.png
The question is then, once we have decided whether there is consensus, how do we cut the nc fifo to exclude responses that are not acceptable?
Last edited by Ulysses_; 03-05-2014 at 06:31 PM.
|
|
|
03-06-2014, 09:04 AM
|
#8
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Quote:
Originally Posted by Ulysses_
Maybe a script could run 3 dig commands in parallel like this:
dig microsoft.com 4.2.2.4
dig microsoft.com <another dns server>
dig microsoft.com <another dns server>
and parse the output with sed to isolate the IP's. But if there is concensus, how can the IP be returned to the process that did the dns lookup? Simply allow the original query and response to complete, otherwise block it with an iptables rule?
|
something like:
Code:
host -t ns example.com | while read dom ns server; do dig +short $dom; done
may help?
|
|
|
03-06-2014, 12:34 PM
|
#9
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
Don't know what this does. We want to compare results from an arbitrary list of DNS servers, after intercepting a normal DNS query.
Trying the following but this only shows the SENT data that contains the domain name, the RCVD data does not show up. How do you force the DNS query to go through this piping arrangement?
File dns-proxy.sh:
Code:
# create fifo's
mkfifo -m 0600 "$BACK" "$SENT" "$RCVD"
# Keep parsing SENT fifo to get domain name
od -c -w100 <"$SENT" | sed "s/blah blah//g" &
# Keep parsing RCVD fifo to get IP
od -t u1 -w100 <"$RCVD" | sed "s/blah blah//g" &
# Keep listening and piping
nc -ul "$1" <"$BACK" | tee "$SENT" | nc -u "$2" "$3" | tee "$RCVD" >"$BACK"
Why doesn't a DNS query from firefox go through all of these pipes if you set the connection DNS server to 127.0.0.1, type the following and enter a url in firefox?
sudo ./dns-proxy.sh 53 4.2.2.4 53
(4.2.2.4 is google's free DNS server)
Last edited by Ulysses_; 03-06-2014 at 01:07 PM.
|
|
|
03-06-2014, 01:13 PM
|
#10
|
Senior Member
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278
|
I see where you are going with this, and its certainly approaching a solution to your problem.
But, using 12+ different programs, for each DNS request, is going to get really, really expensive, processor-wise. And also, it will quadruple your DNS traffic. Keep that in mind, if you are thinking of deploying such a thing to your user-environment. My windows servers handle 60 million+ requests in a given day.
Also. 8.8.8.8 is google's dns server. Youll find that 4.2.2.2-4.2.2.8 is actually level3's servers.
|
|
|
03-06-2014, 01:24 PM
|
#11
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
It's only for a single user, using the browser. Can't be too expensive cpu-wise.
|
|
|
03-06-2014, 01:31 PM
|
#12
|
Senior Member
Registered: Jul 2009
Posts: 1,303
Original Poster
Rep:
|
Maybe the system has another DNS server and using that after my 127.0.0.1 DNS server takes too long?
What is the meaning of this stuff in /etc/resolv.conf?
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
This is not localhost, what is this?
Last edited by Ulysses_; 03-06-2014 at 05:33 PM.
|
|
|
All times are GMT -5. The time now is 12:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|