DNS (Domain Name System) decodes human-readable domain names into IP addresses. During vulnerability research and penetration testing, analyzing DNS reveals the following potential attack vectors that can help identify security flaws:
- Enumeration of subdomains
- setting error
- DNS-related vulnerabilities
In addition to this, DNS data also provides insight into network infrastructure and helps map potential targets.
Recent Oryx Lab launched A free DNS server written in Python 3.x for vulnerability research and penetration testing called “PolarDNS”.
In our next webinar, Indusface CTO Karthik Krishnamoorthy and VP of Products Vivek Gopalan will demonstrate how APIs can be hacked. This session will cover exploiting the top 10 OWASP API vulnerabilities, brute force account takeover (ATO) attacks on APIs, DDoS attacks on APIs, and how WAAP enhances security on API gateways.
PolarDNS
This free DNS server, PolarDNS, allows operators to generate completely custom DNS responses for various DNS protocol testing purposes. This free server can be used to test:
- DNS resolver (server side)
- DNS client
- DNS library
- DNS parser and dissector
- Software that handles DNS information
PolarDNS operators gain full control over the DNS protocol layer as it supports two protocols:
- UDP protocol
- TCP protocol
You can also generate the following DNS response:
- Non-standard DNS responses
- Non-compliant DNS response
- DNS responses that violate RFC standards
- Malformed DNS response
However, this may be useful for the following purposes:-
- Functional testing
- RFC compliant
- Vulnerability research
Functions and response modifiers
In addition to this, PolarDNS provides a number of built-in features and modifiers for diverse DNS responses.
Combining these creates an infinite number of response variants, allowing you to test the technical robustness of a recipient’s handling of unusual, abnormal, and malformed DNS responses.
The following describes some of the DNS responses generated by PolarDNS that may include:
- Alias (CNAME) chains and alias loops
- Malformed DNS header (ID, flag, section count)
- Inserting unrequested records (cache poisoning)
- Injection of arbitrary bytes of arbitrary length
- Incomplete/empty/NULL byte responses
- Compression issues (loops, invalid pointers)
- Chunked responses sent slowly
- Invalid label or domain name length
- Any number of TXT records of any size
- Packet length manipulation (TCP)
Apart from this, all these data will help you identify several vulnerabilities such as:
- sloth domain attack
- phantom domain attack
- domain lockup attack
- cache poisoning
- Resource exhaustion
- crash
- DoS
By understanding basic Python and DNS protocols, PolarDNS facilitates simple implementation of:
- new ideas
- test case
- Features
- PoC
- specific scenario
Execution method?
- First, run the following command:
Pythonpolardns.py
- The Polardns server will now start listening on localhost (127.0.0.1) by default.
- It then uses UDP and TCP port 53 to handle DNS queries.
- To check, you need to run the following sample query.
- For UDP mode: Always dig .yourdomain.com @127.0.0.1
- For TCP mode: dig always.yourdomain.com @127.0.0.1 +tcp
- After that, you need to make sure that the response contains an A record for IP address 2.3.4.5.
- Now, if the server returns an A 2.3.4.5 record, it means Polardns is working correctly.
install
- First, you need to install Python 3.10 or later.
- Next, you need to install PyYAML.
Install pip3 pyyaml
- Next, edit the configuration file polardns.yml.
- Next, you need to add your domain and nameserver IP addresses.
- That’s it!
Experience how StorageGuard eliminates security blind spots in your storage systems. 14-day free trial.