Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/awgh/madns

DNS server for pentesters
https://github.com/awgh/madns

Last synced: 3 months ago
JSON representation

DNS server for pentesters

Awesome Lists containing this project

README 

        
# madns: the DNS server for pentesters



## Dependencies & Requirements

 - [go language](https://golang.org/)

 - [go dns package](https://github.com/miekg/dns)

 - A domain you own



## Installation on Linux



### Install go

```

wget https://go.dev/dl/go1.17.5.linux-amd64.tar.gz

sudo tar -C /usr/local -xzf go1.17.5.linux-amd64.tar.gz

```



### Add go to your environment/PATH

```

echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.profile

source ~/.profile

```



### Install madns (installs to ~/go/bin/madns)

```

go install github.com/awgh/madns@latest

```



### Create madns-config based off template

```

cp ~/go/pkg/mod/github.com/awgh/madns@*/madns-config.json.example ./madns-config.json

```



## Setup madns config



Edit the madns-config.json file, according to the following instructions.



### Port

Standard DNS port, only change if you know your setup differs.



`"Port": 53`



#### Dealing with systemd-resolved

If your system is running systemd-resolved (common for Ubuntu), you will have to follow these instructions to free up port 53: 

https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f



### Handlers

This is where you define the domain/subdomain to trigger your email notification.



Each handler has a trigger portion, which describes the (sub)domains that it will handle, and **either** a Redirect command or a Respond command.  You must have a Redirect or a Respond command in each handler, but not both!



Additionally, handlers can have a NotifyEmail instruction, which notify you by email when the handler is invoked. They can also use the NotifySlack instruction, which sends the same notification to a Slack channel via webhooks.



**.** is the default DNS handler, if a query doesn't match any other handler it will use this handler.



#### Redirect handlers

Redirect commands will redirect the request to an upstream DNS server.  Redirect commands require the IP address and the port, like "8.8.8.8:53".



#### Respond handlers

Respond commands will respond with a fixed response.  Respond commands only need the IP address or the domain name (for a CNAME).  IP addresses can be either IPv4 or IPv6, and will generate an A/AAAA record accordingly.



### Examples

The following example is a catch-all handler that will redirect requests not handled by another handler to another DNS Server, in this case 8.8.8.8:



```

".": {

        "Redirect": "8.8.8.8:53"

        "NotifyEmail": "[email protected]"

     },

```



Now you’ll want to create a subdomain that will trigger when a DNS lookup is performed on it for testing double blind XXE/SQLi/etc. It can be useful to setup an email with a +filterkeyword to make it easier to tell which handler fired when you get a successful hit.



In the following example, the triggering domain will always respond with a fixed address and also notify you of the hit by email:



```

"your.triggering.domain": { 

        "Respond": "192.168.1.1", 

        "NotifyEmail": "[email protected]"

        }

```



### SMTP Configuration (Optional)



If you want to use the NotifyEmail feature, you have to set the SMTP configuration values.



```

"SmtpUser":"[email protected]",

"SmtpPassword":"",

"SmtpServer":"smtp.gmail.com:587",

"SmtpDelay":30,

```

The SmtpDelay parameter determines how many seconds madns will batch up alerts into a single email.  By default, this is set to 1 minute, so there will be a 1 minute delay before the first email is sent unless the SmtpDelay is set.



#### Gmail SMTP enable less-secure apps

So gmail does that whole security thing and won't let madns log in and

perform SMTP unless you enable less secure apps. https://www.google.com/settings/security/lesssecureapps



### Start madns

If you're listening to the default port 53 (or anything lower than 1024):



`sudo madns -c madns-config.json &`



For ports above 1024:



`madns -c madns-config.json &`



## Configure your domain

Add an subdomain record (an A record) in your DNS management section of your domain to point to the IP address that madns is running on. For example:



```

Type		Name			Value				TTL

A						7200

NS						7200

```

Also ensure that incoming/outgoing traffic on port 53 is open and outgoing SMTP traffic is allowed on your box.



## Test madns

Get the nameserver registered for your domain



`dig domain -t NS   `



Use that nameserver to query your subdomain



`dig @ subdomain.domain -t NS`



If all is well you should see something like

```

;; QUESTION SECTION:

; IN    NS



;; AUTHORITY SECTION:

.. 259200 IN NS   

;; ADDITIONAL SECTION:

          3600    IN      A       

```



Now test with curl



`curl subdomain.subdomain.domain`



On the madns server you see notifications to stdout that it hit the Handler and sent an email such as:



`2017/09/21 11:24:37 sent email to [email protected]`



   



## systemd service file



You can set up madns to run as a systemd server which starts on boot.



Run the following commands to install madns in /opt and create a systemd service file for it.



```

sudo mkdir -p /opt/madns/

sudo cp ~/go/bin/madns /opt/madns/

sudo cp madns-config.json /opt/madns/

sudo nano /etc/systemd/system/madns.service

```



Put the following contents into the madns.service file and save it:

```

[Unit]

Description=madns DNS server

After=network.target



[Service]

WorkingDirectory=/opt/madns

ExecStart=/opt/madns/madns -c madns-config.json

ExecStop=/bin/kill $MAINPID

KillMode=process

Restart=on-failure

RestartSec=5s

Type=simple



[Install]

WantedBy=multi-user.target

Alias=madns.service

```



Finally, reload the systemd config files and start/enable madns:

```

sudo systemctl daemon-reload

sudo systemctl enable madns

sudo systemctl start madns

```