python dig trace 功能实现——通过Querying name server IP来判定是否为dns tunnel

dns tunnel确认方法，查询子域名最终的解析地址：

使用方法：python dig_trace.py  "<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info" any
Selected root name server:  192.203.230.10
['.', 'info.', 'nsconcreteblock.info.', '<7cf1e56b 67fc90f8 caaae86e 0787e907>.nsconcreteblock.info.']
Random NS:  199.254.31.1
Random NS:  199.249.121.1

Querying name server:  199.249.121.1
到微步查询 https://x.threatbook.cn/ip/199.249.121.1 可以看到 199.249.121.1 是钓鱼IP。

dig_trace.py 脚本内容：

from：https://github.com/danasmera/Python_scripts/blob/master/dig-trace.py

#!/usr/bin/env python
''' Similar to dig +trace except this script does not reply on name servers set on localhost '''
__author__ = "Daniel T."
__license__ = "GPL"
__version__ = "0.1.0"
__maintainer__ = "danasmera"
__email__ = "daniel@danasmera.com"

import sys
from random import choice
import re
import signal

try:
  import dns.name
  import dns.message
  import dns.query
except ImportError:
  print 'Module dns import error.'
  sys.exit(1)

def signal_handler(signal, frame):
  print 'Ctrl+C pressed...exiting...'
  sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

def Usage():
  print sys.argv[0] + ' FQDN RecordType[A|MX|TXT|NS|ANY]'
  print "Ex. " + sys.argv[0] + ' gmail.com mx'
  sys.exit(1)

mydict={'A':1 ,'NS':2,'MX':15,'TXT':16,'ANY':255}

ARGC=len(sys.argv)

if ARGC < 2:
  Usage()

RRTYPE='A' if ARGC<=2 else sys.argv[2].strip()
RRTYPE=RRTYPE.upper()
if RRTYPE in mydict: RRTYPE=mydict[RRTYPE]   
else: sys.exit(1)

#IPv4 pattern
ippat=r'd{1,3}.d{1,3}.d{1,3}.d{1,3}'

#rootns=[chr(i)+'.root-servers.net' for i in range(ord('a'),ord('n'))]
rootns=( '198.41.0.4' , '192.228.79.201' , '192.33.4.12' , '199.7.91.13' , '192.203.230.10' , '192.5.5.241' , '192.112.36.4' , '128.63.2.53' , '192.36.148.20' ,'192.58.128.30' , '193.0.14.129' , '199.7.83.42' , '202.12.27.33' ) 
rootns = ('192.203.230.10',) # very useful and always no timeout
srootns=choice(rootns)

print "Selected root name server: " , srootns

def only_ip(rrdata):
  match=re.search(ippat, rrdata)
  if match: return match.group()

#we will accept input such as google.com www.google.com. etc
myhost=sys.argv[1]
cleaned_myhost=myhost.split('.')
if not cleaned_myhost[-1].endswith('.'):
  cleaned_myhost.extend('.')

#flip list into format ['.','com','google' ,'www' ]
cleaned_myhost.reverse()
if '' in cleaned_myhost: cleaned_myhost.remove('')

#Split into parts in reverse for easier querying ['.','com.', 'google.com.', www.google.com.']
i=1
while i < len(cleaned_myhost):
   if i==1: 
     cleaned_myhost[i]=cleaned_myhost[i]+cleaned_myhost[i-1]
   else:
     cleaned_myhost[i]=cleaned_myhost[i]+'.'+cleaned_myhost[i-1]
   i+=1

print cleaned_myhost
additional_ns=[]


##Step over reach domain part and query the NS in the glue record on parent domain

for domain in cleaned_myhost[1:]:
  name_server=srootns
  ndomain = dns.name.from_text(domain)
  request = dns.message.make_query(ndomain, dns.rdatatype.NS)
  if additional_ns : name_server=choice(additional_ns)
  try:
    response = dns.query.udp(request, name_server, timeout=10)
  except dns.exception.Timeout:
    print 'Dns query timed out.'
    sys.exit(1)

  additional_ns=[]
  #Skip IPv6
  for item in response.additional:
    if not 'IN AAAA' in item.to_text():
      ip_ns=only_ip(item.to_text())
      if ip_ns: additional_ns.append(only_ip(ip_ns))
 # name_server=choice(additional_ns)
  if additional_ns: 
    LNS=choice(additional_ns)
    print "Random NS: ", LNS

print
print "Querying name server: ", LNS
#request = dns.message.make_query(myhost, dns.rdatatype.A)
request = dns.message.make_query(myhost, int(RRTYPE))
try:
  response = dns.query.udp(request, LNS, timeout=10)
except dns.exception.Timeout:
  print 'Dns query timed out.'
  sys.exit(1)

for rrset in response.answer:
  print rrset

示例：

$python dig_trace.py www.baidu.com a
Selected root name server:  192.203.230.10
['.', 'com.', 'baidu.com.', 'www.baidu.com.']
Random NS:  192.48.79.30
Random NS:  220.181.37.10
Random NS:  180.149.133.241

Querying name server:  180.149.133.241


$ python dig_trace.py xxx.a.friendskaka.com any
Selected root name server:  192.203.230.10
['.', 'com.', 'friendskaka.com.', 'a.friendskaka.com.', 'xxx.a.friendskaka.com.']
Random NS:  192.43.172.30
Random NS:  106.11.141.113
Random NS:  45.77.39.243
Random NS:  45.77.39.243

Querying name server:  45.77.39.243
Dns query timed out.

这个东西实在是太有用了！因为可以通过Querying name server IP来判定是否为dns tunnel！！！

相应的dig trace类似功能：

$ dig xxx.a.friendskaka.com +trace

; <<>> DiG 9.10.3-P4-Ubuntu <<>> xxx.a.friendskaka.com +trace
;; global options: +cmd
.            251824    IN    NS    h.root-servers.net.
.            251824    IN    NS    k.root-servers.net.
.            251824    IN    NS    c.root-servers.net.
.            251824    IN    NS    i.root-servers.net.
.            251824    IN    NS    e.root-servers.net.
.            251824    IN    NS    g.root-servers.net.
.            251824    IN    NS    l.root-servers.net.
.            251824    IN    NS    f.root-servers.net.
.            251824    IN    NS    j.root-servers.net.
.            251824    IN    NS    d.root-servers.net.
.            251824    IN    NS    m.root-servers.net.
.            251824    IN    NS    b.root-servers.net.
.            251824    IN    NS    a.root-servers.net.
;; Received 228 bytes from 223.6.6.6#53(223.6.6.6) in 39 ms

com.            172800    IN    NS    k.gtld-servers.net.
com.            172800    IN    NS    d.gtld-servers.net.
com.            172800    IN    NS    j.gtld-servers.net.
com.            172800    IN    NS    f.gtld-servers.net.
com.            172800    IN    NS    h.gtld-servers.net.
com.            172800    IN    NS    m.gtld-servers.net.
com.            172800    IN    NS    c.gtld-servers.net.
com.            172800    IN    NS    e.gtld-servers.net.
com.            172800    IN    NS    a.gtld-servers.net.
com.            172800    IN    NS    b.gtld-servers.net.
com.            172800    IN    NS    l.gtld-servers.net.
com.            172800    IN    NS    i.gtld-servers.net.
com.            172800    IN    NS    g.gtld-servers.net.
com.            86400    IN    DS    30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400    IN    RRSIG    DS 8 1 86400 20180403170000 20180321160000 41824 . ROETRmN1GaacCAf834rGvPrUpWsGujhy9AHe9BAEs2l81pNmXLU2ftKo 2DCI+YWufP1kzvuIbIHaJi8gr3MFKzt92EA2fBQHXBrVznkMPK4xwsY/ vAciVIbc5SgFi5W+efDyjOvObXHjSxLm0JXaOAMenc+xCx/W/mBva7AI Fe8g/0skHdZoGaQuHCUUklKHluOksN8E0MbWZuU8jKOEWAiNXZyfzSCr xXsS5N66f/5iik0xFYKbfznzff70PDowOxnAsWr0KHeJvKv3afF9XYXl xcu5JtB1Z534X5A5SdDqadsZ0UydPMeaC6b725qoluALnSgsbpU5USHr xIxT9w==
;; Received 1181 bytes from 192.36.148.17#53(i.root-servers.net) in 231 ms

friendskaka.com.    172800    IN    NS    dns2.hichina.com.
friendskaka.com.    172800    IN    NS    dns1.hichina.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180329044627 20180322033627 46967 com. uvlOWKlub35L4vxf90cou126foZVxgd04uKGEk9118BgH0KReXWJNYTW tb8fpLuV+jPkL3tCjCjG5wxCWaI15J0Yeh0MSPQes2NFSNnxrxd09s6P Uo+7anhDgn4kJNIuDiAYp03B/e2j3rVNy0Ixnvz7FUE7r33pN0pW1M9n d68=
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN NSEC3 1 1 0 - CO5GE18T10E6MHBQLNUH2P41UKL4V8R9 NS DS RRSIG
CO5FD8E5AURAOVOMCLOJRHU4BQPQO18S.com. 86400 IN RRSIG NSEC3 8 2 86400 20180327050411 20180320035411 46967 com. MQP16KcNpQJRi/HwBQGrHVYmV1zEQU15+hXslNaVl18hOCLZsKS3GAMz bdcLK03ygTV3Os+rGvvGjZaRIjNoFJukHAbJ5xuBe1pKnv00PlT/ZiF+ 2UJjEQzYzR3Scf1ni1TCSlCu8oLtrUanAVLqWz+o1pviZtHRGw8/Yff7 HGQ=
;; Received 837 bytes from 192.52.178.30#53(k.gtld-servers.net) in 171 ms

a.friendskaka.com.    600    IN    NS    ns.friendskaka.com.
;; Received 98 bytes from 140.205.41.23#53(dns1.hichina.com) in 31 ms

;; connection timed out; no servers could be reached