I want to resolve an IP address.
For that I'm creating a DNS query (of type A record). Lets say some DNS server gets this query and then send it to one of my servers to resolve it.
Now I want to know which of my servers answer this request.
To do that, I though about adding a TXT record to the response.
Is it possible to add a TXT record to a query with A record?
And is there a better way to discover which of my server answered the request?
EDIT:
As for the server IP -
I have an app, which query a DNS server (lets say it's Google's public DNS server - 8.8.8.8). When Google gets this query, it's not returning the answer, but ask one of my servers for the answer. Only then it will return the correct answer to my app. Now, if I'll check the server IP, I will get 8.8.8.8, but what I want to know is which of my server gave Google the answer.
The client knows which server replied, see this dig example:
$ dig com. #f.root-servers.net +noall +stat
; <<>> DiG 9.12.0 <<>> com. #f.root-servers.net +noall +stat
;; global options: +cmd
;; QUERY SIZE: 44
;; Query time: 140 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Tue Sep 04 12:04:30 EST 2018
;; MSG SIZE rcvd: 856
I see that the server at IP 192.5.5.241 replied to me (this one is anycasted by the way).
Now about
Is it possible to add a TXT record to a query with A record?
No, that is against the specification. The answer section should only have the answer to the query that is the A record. Resolvers are not expected to take into account anything else. You could try/think/imagine using the "Additional" section for that, but it is not fit for it, and again you would have mixed results.
But in fact I am not sure to understand the goal you are trying to reach. Do you control the DNS server? the DNS client?
If you control the DNS server you have access to its logs so you know what it was requested with and who it replied to. If you control the client you see obviously which server replied to you.
Before expanding too much on points that may be irrelevant, look also at the NSID option (RFC5011) this is used today. This is more relevant when you have anycasted nameservers or any cloud of it, as under a single IP you may reach a lot of different instances, so it is important to have something more than the IP to identify them (which shows that an IP address is more of a location than an identication token in fact).
For example if I redo above query with dig com. #f.root-servers.net +nsid +nocookie I now get:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 70 61 6f 31 61 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 ("pao1a.f.root-servers.org")
I see that in that specific case it was a server identifying itself (this can be trivially spoofed of course without DNSSEC) as pao1a.f.root-servers.org.
Doing same query from another vantage point could answer instead with:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; NSID: 41 4d 53 2e 63 66 2e 66 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f 72 67 (A) (M) (S) (.) (c) (f) (.) (f) (.) (r) (o) (o) (t) (-) (s) (e) (r) (v) (e) (r) (s) (.) (o) (r) (g)
(decoding is different because older dig version)
Related
I am trying to configure suricata in my network. When I set one HOME_NET in /etc/suricata/suricata.yml as :
HOME_NET: "[172.20.5.0/24]"
everything works fine. But when I try to define more than one pool of addresses as:
HOME_NET: "[172.20.5.0/24,172.16.0.0/16,172.20.1.0/24]"
I cannot observe any events in /var/log/suricata/log.fast.
How to properly define a few networks in HOME_NET variable?
The problem was that I was trying to ping and Home_Net(172.20.5.12) from a Home_Net(172.20.5.18). And the property External_Net was set as !$Home_Net. The rule triggering ping alert:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING
*NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8;
metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Alerts only from EXTERNAL_NET to HOME_NET and I was pinging from HOME_NET to HOME_NET.
To see this "internal" ping alerts you need to define EXTERNAL_NET as any.
I'm trying to install an applet on a SIM card wich supports java card V3.0.4. When I try to establish a secure channel to load the applet, the card returns an error:
mode_211
enable_trace
establish_context
card_connect
select -AID A000000151000000
Command --> 00A4040008A000000151000000
Wrapped command --> 00A4040008A000000151000000
Response <-- 6F108408A000000151000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 79AA24D80FF0056101F1D9AB6DCAF0E6
-enc_key 79AA24D80FF0056101F1D9AB6DCAF0E6
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664A734806072A864886FC6B01600B06092A864886FC6B020202630906072A86488
6FC6B03640B06092A864886FC6B048000640B06092A864886FC6B040255640B06092A864886FC6B0
481079000
Command --> 8050000008F05E65BF5254BC9F00
Wrapped command --> 8050000008F05E65BF5254BC9F00
Response <-- 00005147A5190C5352322002001C1F47B6C76BABFD305EBBC2CD1BB39000
mutual_authentication() returns 0x8030F00A (The Secure Channel Protocol passed and reported do not match.)
I'm using GPShell-1.4.4. I guess the problem is using wrong key set! Am I true or there is something else I cannot guess what?!
Thanks for your response,
(I am partly reusing an answer I wrote for your previous question which you suddenly deleted)
Error code GP211_ERROR_INCONSISTENT_SCP means that GPShell's intended SCP version mismatches with the real SCP version given by the card (see here).
Check the 12th byte of card response to INITIALIZE UPDATE -- Secure Channel Protocol identifier (see e.g. GP Card Specification 2.3, section E5.1.6) and use parameter -scp.
Alternatively you might want to use GlobalPlatformPro as GPShell is quite outdated...
Beware that you can block your card by issuing multiple INITIALIZE UPDATE commands without successful authentication!
As your current question contains the complete log it is possible to parse the Card Data tag giving (according to GP 2.2.1):
66 Card Data
73 Card Recognition Data / Discretionary Data Objects
06 OID
2A864886FC6B01 {globalPlatform 1} // Card Recognition Data
60 Application Tag 0
06 OID
2A864886FC6B020202 {globalPlatform 2 2 2} // GP 2.2 Card
63 Application Tag 3
06 OID
2A864886FC6B03 {globalPlatform 3} // Card Identification Scheme
64 Application Tag 4
06 OID
2A864886FC6B048000 {globalPlatform 4 128 0x00} // SCP80 i=0x00
64 Application Tag 4
06 OID
2A864886FC6B040255 {globalPlatform 4 2 0x55} // SCP02 i=0x55
64 Application Tag 4
06 OID
2A864886FC6B048107 {globalPlatform 4 129 0x07} // SCP81 i=0x07
So you might want to use -scp 2 -scpimpl 0x55 or -scp 2 -scpimpl 85 (which happens to be the same).
Or use GlobalPlatformPro.
Alternatively -scpimpl 0x15 should work as well as the Well-known pseudo-random algorithm
(card challenge) bit in 'i' should not matter...
Good luck!
I'm in the middle of learning about DNS, and I'm trying to understand how a non-recursive resolver/server would respond to an empty response.
My understanding of DNS is basically that:
If the server returns a non-authoritative response, it will usually provide a list of nameservers (the NSCOUNT) which you can consult to find the authoritative response.
But, what happens if a DNS server returns nothing? As in - just the response header with ANCOUNT = 0, NSCOUNT = 0 and ARCOUNT = 0?
For example, if I query Google's free DNS server (8.8.8.8), and I ask it to resolve "google.com", and the recursion bit is NOT set, this is the response I get:
+---------------------------------------------------------------------------+
| 25550 | QR: 1 | OP: 00 | AA: 0 | TC: 0 | RD: 0 | RA: 1 | Z: 0 | RCODE: 00 |
+---------------------------------------------------------------------------+
| QDCOUNT: 1, ANCOUNT: 0, NSCOUNT: 0, ARCOUNT: 0 |
+---------------------------------------------------------------------------+
So basically, it returned nothing to me except my original query, and it informed me that recursion is available.
In this case, how should the query proceed (assuming we don't just use ask the server to use recursion). Is the only recourse here to contact one of the top-level servers? Or, to put my question another way, how come Google's DNS server didn't return me a list of nameservers (why is NSCOUNT 0?) that I can consult?
When you said "No Recurse", then the Google's NS did not recurse. Since they are not the authoritative nameservers for google.com, they didn't provide any response. This is normal, and acceptable behaviour.
You can only request with "recurse" bit set, to figure out the A-record for google.com. Other way is:
Find the NS for com., from the root servers.
Find the NS for google.com from one of the com NS.
Find the A record for google.com from the gooogle.com NS.
Basically, you do what the recursive nameserver was supposed to do for you.
Note: Recursive NS can use its cache for getting you a response without actual queries, based on TTL for the record (and of course if you set the recursion bit (-:
Only an authoritative server is supposed to include the NS records in the authority section of the response.
The Google 8.8.8.8 servers are not authoritative for google.com, and you asked them not to recurse, so they didn't.
This is an abnormal query that a real DNS client wouldn't send to them, so their response of "NO DATA / NO ERROR" (RCODE == 0, ANCOUNT == 0) is acceptable.
My web application receives from untrusted user some unfiltered string, and then has to determine, if this string, when used as hostname, somehow resolves to IPv4 or IPv6 address in forbidden range, determined by set of predefined rules.
So, in case string appears to be IPv4 or IPv6 address (either canonical or not), it's simple — just translate address to whatever is it's canonical form, and test if it's in allowed ranges or not.
But what if string is valid hostname, that resolves to lot of records? Using node.js' builtin dns module, I get list of all DNS records for this particular hostname (A, AAAA, TXT, MX, SRV, CNAME). What next? AFAIK, TXT, SRV and MX do not affect name resolution at all. A and AAAA can be verified against aforementioned ruleset.
But what should I do with CNAME? Should I issue recursive DNS resolution for each CNAME encountered? Just ignore it and silently reject? If I issue recursive DNS resolution, any chance to prevent some smarthat feeding my application infinite CNAME stream, like CNAME 1.foobar.com ⟶ CNAME 2.foobar.com ⟶ CNAME 3.foobar.com ⟶ CNAME 4.foobar.com ⟶ ...? In case it repeats at some point, I can break out of it, but what if it does not? If I break early (after N redirections, say), hacker could forge such chain to be N+1 long, with last redirection having A/AAAA records to restricted area.
So, are there solutions to this? How do "convenient" resolvers handle this?
So, I've ended setting up name server myself, and feeding it zone config similar to
$ORIGIN foobar.com
...
evil1 CNAME evil2.foobar.com
evil2 CNAME evil3.foobar.com
evil3 CNAME evil4.foobar.com
evil4 CNAME evil5.foobar.com
...
evil99997 CNAME evil99998.foobar.com
evil99998 CNAME evil99999.foobar.com
evil99999 CNAME evil100000.foobar.com
evil100000 A 127.12.34.56
nslookup request ends as follows:
$ nslookup evil1.foobar.com
Server: 127.0.0.1
Address: 127.0.0.1#53
evil1.foobar.com canonical name = evil2.foobar.com.
evil2.foobar.com canonical name = evil3.foobar.com.
evil3.foobar.com canonical name = evil4.foobar.com.
evil4.foobar.com canonical name = evil5.foobar.com.
evil5.foobar.com canonical name = evil6.foobar.com.
evil6.foobar.com canonical name = evil7.foobar.com.
evil7.foobar.com canonical name = evil8.foobar.com.
evil8.foobar.com canonical name = evil9.foobar.com.
evil9.foobar.com canonical name = evil10.foobar.com.
evil10.foobar.com canonical name = evil11.foobar.com.
evil11.foobar.com canonical name = evil12.foobar.com.
evil12.foobar.com canonical name = evil13.foobar.com.
evil13.foobar.com canonical name = evil14.foobar.com.
evil14.foobar.com canonical name = evil15.foobar.com.
evil15.foobar.com canonical name = evil16.foobar.com.
evil16.foobar.com canonical name = evil17.foobar.com.
evil17.foobar.com canonical name = evil18.foobar.com.
dig produces similar output:
# dig +recurse evil1.foobar.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +recurse evil1.foobar.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;evil1.foobar.com. IN A
;; ANSWER SECTION:
evil1.foobar.com. 10 IN CNAME evil2.foobar.com.
evil2.foobar.com. 10 IN CNAME evil3.foobar.com.
evil3.foobar.com. 10 IN CNAME evil4.foobar.com.
evil4.foobar.com. 10 IN CNAME evil5.foobar.com.
evil5.foobar.com. 10 IN CNAME evil6.foobar.com.
evil6.foobar.com. 10 IN CNAME evil7.foobar.com.
evil7.foobar.com. 10 IN CNAME evil8.foobar.com.
evil8.foobar.com. 10 IN CNAME evil9.foobar.com.
evil9.foobar.com. 10 IN CNAME evil10.foobar.com.
evil10.foobar.com. 10 IN CNAME evil11.foobar.com.
evil11.foobar.com. 10 IN CNAME evil12.foobar.com.
evil12.foobar.com. 10 IN CNAME evil13.foobar.com.
evil13.foobar.com. 10 IN CNAME evil14.foobar.com.
evil14.foobar.com. 10 IN CNAME evil15.foobar.com.
evil15.foobar.com. 10 IN CNAME evil16.foobar.com.
evil16.foobar.com. 10 IN CNAME evil17.foobar.com.
evil17.foobar.com. 10 IN CNAME evil18.foobar.com.
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: ...
;; MSG SIZE rcvd: 388
And according to tests made with plain resolvers, if CNAME chain does not end up with useful target after 16 hops (e.g. if 17th is still CNAME), lookup will be interrupted and domain name will be rejected as non-resolving. CNAME attack myth busted.
I wouldn't mess with any of this, and leave it up to the system resolver.
var dns = require('dns');
dns.lookup('host.example.com');
I cannot get reverse DNS lookup configured correctly in Amazon Route 53 for a block of ATT IP's that have been delegated to Amazon Name Servers.
So, I have a block of IP's assigned to me by ATT. The block is 12.237.40.64/27. ATT has delegate the block to Amazon Name Servers. I start by doing a dig -x on one of the IP's in the block - .65, and get the following:
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 86400 IN CNAME 65.64/27.40.237.12.in-addr.arpa.
So I start to create a zone in Amazon Route 53 with the name 65.64/27.40.237.12.in-addr.arpa < this value is being entered into the 'Domain Name' field with in Amazon Route 53 in the UI. Once created and saved, Route 53 actually names the zone:
65.64\05727.40.237.12.in-addr.arpa
Not sure why this is happening. It seems that the CNAME entry from ATT about will never find the zone 65.64/27.40.237.12.in-addr.arpa ?? So I continue and assume that some sort of translation will occur from the CNAME entry to the zone name I view on screen within route 53. Once the zone is created. I proceed to try to add a PTR record in Route 53. Route 53 will only allow me to prepend the zone name with an ip so the result is:
65.65.64\05727.40.237.12.in-addr.arpa PTR server.mydomain.com
The result I want would be:
65.40.237.12.in-addr.arpa. PTR server.mydomain.com.
So I add a new zone file and name the zone 40.237.12.in-addr.arpa. I then add the PTR record for .65 with in the block. I then dig -x 12.237.40.65 #amz.name.server, and I get the desired result:
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 300 IN PTR server.mydomain.com.
So the problem seems to be that I cannot name the Route 53 zone to agree with the CNAME delegation from ATT ??
I found an article (PDF) on ATT delegated IP blocks.
Can anyone give me some direction on setting up reverse DNS on Amazon route 53 correctly? Or do I need to contact ATT to change the CNAME entry to a different format that I can add and save in route 53?
65.64/27.40.237.12.in-addr.arpa. and 65.65.64\05727.40.237.12.in-addr.arpa PTR server.mydomain.com are just slightly differently formatted names for the same thing. \057 is the octal code for /. It looks like you've configured the domain correctly ...
colmmacc#colmmac] dig NS 64/27.40.237.12.in-addr.arpa. #ns-1175.awsdns-18.org
<snip>
;; QUESTION SECTION:
;64/27.40.237.12.in-addr.arpa. IN NS
;; ANSWER SECTION:
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-1175.awsdns-18.org.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-1967.awsdns-53.co.uk.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-281.awsdns-35.com.
64/27.40.237.12.in-addr.arpa. 3600 IN NS ns-593.awsdns-10.net.
and the reverse DNS entry seems to be working too:
colmmacc#colmmacc] dig -x 12.237.40.65
;; QUESTION SECTION:
;65.40.237.12.in-addr.arpa. IN PTR
;; ANSWER SECTION:
65.40.237.12.in-addr.arpa. 86400 IN CNAME 65.64/27.40.237.12.in-addr.arpa.
65.64/27.40.237.12.in-addr.arpa. 300 IN PTR smtpwin.omnilink.com.
Route 53 merely escapes all non-alpha-numerical characters for display, but the / and \057
are equivalent.