Dora the DNS explorer
Dora is a DNS exfiltration tool that stores all DNS requests received that follow this syntax:
<base64 data>.<line number>.<context>.<your domain>
Swiper can be used to generate extraction payloads suitable for Dora.
- Python 3.x (tested with 3.8)
- Python requirements (I recommend to use
Scapy to sniff on the specified interface on port
53 and parses all DNS requests it receives.
They can either be stored within a in-memory sqlite database, or saved to any database supported by
For Dora to receive those requests, make sure that your firewall does not block traffic to
Scapy's sniffing uses
tcpdump to read the packages so you don't need anything to actually listen on that port for Dora to work.
Therefore, you either need to start the tool with root privileges or utilize ambient capabilities as described below.
Help for the parameters can be retrieved by running
python dora.py -h
Since kernel version 4.3 capabilities can be passed to sub-processed.
For this to work, the included
ambient.c file needs to be build and then capabilities need to be set on the binary.
For more information and source see: https://stackoverflow.com/a/47982075/920010
As stated above, all DNS requests are simply saved into a database. Using the API the entries can be retrieved, duplicate lines can be filtered and data can be aggregated.
A context is a 32 character hex string representing a UUIDv4 (although the last bit is not checked).
To create a random context
use the following snippet: go to
Working the API requires some manual work for choosing the correct lines. Therefore, open tasks include:
- If all available lines contain the same data, automatically select one at random
- Create a small web interface to instrument the API
Tool for random context generation
- (Add CLI)
- Implement a metadata request to transmit line count, etc.