DNS (Domain Name System) decodes human-readable domain names into IP addresses. In vulnerability research and pentesting, analyzing DNS can reveal the following potential attack vectors that could help in identifying security flaws:-
- Subdomain enumeration
- Misconfigurations
- DNS-related vulnerabilities
Besides this, the DNS data can also provide insights into the network infrastructure, which helps map potential targets.
Oryxlabs recently launched a free DNS server written in Python 3.x for vulnerability research and pentesting, dubbed “PolarDNS.”
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
PolarDNS
This free DNS server, PolarDNS, enables its operators to produce fully custom DNS responses for several DNS protocol testing purposes. This free server can be used for the testing of the following things:-
- DNS resolvers (server-side)
- DNS clients
- DNS libraries
- DNS parsers and dissectors
- Any software handling DNS information
Over the DNS protocol layer, the operator of the PolarDNS gets full control as it supports the following two protocols:-
- UDP protocol
- TCP protocol
It is also capable of producing the following DNS responses:-
- Non-standard DNS responses
- Non-compliant DNS responses
- DNS responses violating the RFC standards
- Malformed DNS responses
However, this could be useful for the following purposes:-
- Functional testing
- RFC compliance
- Vulnerability research
Features & Response Modifiers
Besides this, for diverse DNS responses, the PolarDNS offers numerous built-in features and modifiers.
Combining them creates countless response variants, enabling testing of receivers’ handling of unusual, abnormal, and malformed DNS responses for technical robustness.
Here below, we have mentioned some of the DNS responses produced by PolarDNS that could contain the following things:-
- Alias (CNAME) chains and alias loops
- DNS header malformations (ID, Flags, number of sections)
- Injection of unsolicited records (cache poisoning)
- Injection of arbitrary bytes of arbitrary lengths
- Incomplete/empty/ NULL byte(s) responses
- Compression issues (loops, invalid pointers)
- Slowly transmitted chunked responses
- Illegal labels or domain name lengths
- An arbitrary number of TXT records of arbitrary size
- Packet length manipulations (TCP)
Apart from this, all these data can aid in identifying several vulnerabilities like:-
- Sloth domain attacks
- Phantom domain attacks
- Domain lock-up attacks
- Cache poisoning
- Resource exhaustion
- Crashes
- DoS
With basic Python and DNS protocol understanding, PolarDNS facilitates easy implementation of:-
- New ideas
- Test cases
- Features
- PoCs
- Specific scenarios
How to Run it?
- First of all, execute the following command:
python polardns.py
- Now the Polardns server starts listening on localhost (127.0.0.1) by default.
- Then it will use the UDP and TCP ports 53 to handle DNS queries.
- To check you have to perform the following sample queries:
- In UDP mode: dig always.yourdomain.com @127.0.0.1
- In TCP Mode: dig always.yourdomain.com @127.0.0.1 +tcp
- After that, you have to ensure that the response includes an A record with the IP address 2.3.4.5.
- Now, if the server returns the A 2.3.4.5 record, it indicates that Polardns is functioning correctly.
Installation
- First of all, you have to install Python 3.10 or newer.
- Then you have to install PyYAML:
pip3 install pyyaml
- Now, edit the configuration file polardns.yml.
- Then you have to add your domain and nameserver IP addresses.
- That’s it, now you are done.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.