Readme updated

This commit is contained in:
Dionysus 2023-11-27 20:04:17 -05:00
parent 50cf4464fa
commit f1ce28a26b
Signed by: acidvegas
GPG Key ID: EF4B922DB85DC9DE
3 changed files with 20 additions and 12 deletions

BIN
.screens/preview.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

View File

@ -5,17 +5,26 @@ This tool is designed to detect passive DNS servers that are logging DNS queries
The program operates by accepting a list of DNS resolver addresses and a seed value for subdomain generation. It then asynchronously queries each resolver with a dynamically generated subdomain, based on the provided seed, targeting a specific domain. The asynchronous nature of the tool allows for high-throughput and efficient querying, making it suitable for scanning a large number of resolvers in a short period. Users should note that while this tool provides valuable insights into DNS logging practices, it should be used responsibly and in compliance with applicable network and privacy regulations. It serves as a powerful instrument for network administrators, security researchers, and privacy advocates to understand and evaluate the extent of passive DNS logging in their networks or across various resolvers.
## How it works
When the program starts, it will generate a unique subdomain for each resolver.
This list is saved as JSON data in a `dns_keys.txt` file.
Th program will start firing off DNS queries to all the resolvers using the custom subdomain we made for each one:
![](.screens/preview.png)
After testing across multiple IP addresses over time, if we ever see `download.event.supernets.org` show up on any passive DNS lookup engines, we can simple use the following command:
```bash
jq 'to_entries | map({key: .value, value: .key}) | from_entries | ."download.event"' dns_keys.txt
```
This will return `151.202.0.84`, marking it as a DNS server that is actively logging all DNS queries that pass through.
## WORK IN PROGRESS (STAY TUNED)
- Right now we can MASS query a subdomain on a domain or list of domains using a list of resolvers or the resolvers from public-dns.info
- Need to generate a seed per-dns server that can be included in the subdomain so it can be reversed back to a know which specific dns server is logging all dns requests.
- Subdomain should be entirely random, have to look into commonly seen subdomains, but something like:
- de.220.ftp.domain.com
- astro.login.domain.net
- customer-cdn.1220.domain.org
This is all very theoretical right now, interested to see how this pans out.
The seeds here are 220, astro, and 1220. Unique things we can look for in the future.
Every sweep, we will generate a random seed for each dns server and save it to a seed.key file.
This is all very theoretical right now, interested to see how this pans out.
Stats and proof coming soon. Get fucking fucked white-ops 💯

View File

@ -130,7 +130,6 @@ if __name__ == '__main__':
dns_keys = dict()
for dns_server in dns_servers:
dns_keys[dns_server] = generate_subdomain(sub_domains)
logging.info(f'{dns_server} will have a key of {dns_keys[dns_server]}')
with open('dns_keys.txt', 'w') as file:
json.dump(dns_keys, file)