scapy dev 2.2.0 : generate crafted EDNS0 A/ANY queries with spoofed IP addresses

Here is a sample script of generating crafted EDNS0 A/ANY DNS queries with spoofed IP addresses.

Please note that you need to use scapy dev 2.2.0 to generate EDNS0 queries.

# cat -n send_fake_EDNS0.py     1  #!/usr/bin/env python     2  # -*- coding: utf-8 -*-     3     4  ###     5  # this script is for scapy 2.2.0-dev     6  # this script can generate crafted EDNS0 DNS queries such as ANY EDNS0, A EDNS0, AAAA EDNS0 with spoofed IP addresses     7  ###     8     9  import logging    10  logging.getLogger("scapy.runtime").setLevel(logging.ERROR)    11    12  from scapy.all import *    13  import random    14  import string    15    16  domain_string = string.ascii_lowercase + string.digits    17  target_server = "192.168.100.100"    18  interface_name = "br0"    19    20  for i in range(0,10):    21          a1 = ''.join(random.choice(domain_string) for x in range(10))    22          b1 = ''.join(random.choice(domain_string) for y in range(3))    23          target1 = "www1.foo.com"    24          target2 = a1 + "." + b1 + ".foo.com"    25    26  # make . ANY EDNS0 queries with spoofed IP addresses    27          packet1 = (IP(src=RandIP("10.0.0.0/8"), dst="%s" % target_server)/UDP(sport=RandShort(),dport=53)/DNS(rd=1L,id=RandShort(),qd=DNSQR(qname=".", qtype="ALL", qclass="IN"), ar=DNSRROPT(rclass=4096)))    28    29  # make isc.org ANY EDNS0 queries with spoofed IP addresses    30          packet2 = (IP(src=RandIP("10.0.0.0/8"), dst="%s" % target_server)/UDP(sport=RandShort(),dport=53)/DNS(rd=1L,id=RandShort(),qd=DNSQR(qname="isc.org", qtype="ALL", qclass="IN"), ar=DNSRROPT(rclass=4096)))    31    32  # make A EDNS0 random queries with spoofed IP addresses    33          packet3 = (IP(src=RandIP("10.0.0.0/8"), dst="%s" % target_server)/UDP(sport=RandShort(),dport=53)/DNS(rd=1L,id=RandShort(),qd=DNSQR(qname="%s" % target2, qtype="A", qclass="IN"), ar=DNSRROPT(rclass=4096)))    34    35  # make A www1.foo.com EDNS0 queries with spoofed IP addresses    36          packet4 = (IP(src=RandIP("10.0.0.0/8"), dst="%s" % target_server)/UDP(sport=RandShort(),dport=53)/DNS(rd=1L,id=RandShort(),qd=DNSQR(qname="%s" % target1, qtype="A", qclass="IN"), ar=DNSRROPT(rclass=4096)))    37    38  # generate DNS queries    39          res1 = sr1(packet1,retry=False,timeout=0.000001,inter=0.000001,verbose=False,iface="%s" % interface_name)    40          res2 = sr1(packet2,retry=False,timeout=0.000001,inter=0.000001,verbose=False,iface="%s" % interface_name)    41          res3 = sr1(packet3,retry=False,timeout=0.000001,inter=0.000001,verbose=False,iface="%s" % interface_name)    42          res4 = sr1(packet4,retry=False,timeout=0.000001,inter=0.000001,verbose=False,iface="%s" % interface_name)

Both the target DNS box and the traffic generating box need to be in the same network.

run the script

# ./send_fake_EDNS0.py

cap data collected on the target DNS server

target DNS: 192.168.100.100, Src IP addresses have been spoofed.

# tshark -r a.pcap | grep "Standard query 0x" Running as user "root" and group "root". This could be dangerous.  1 0.000000000  10.49.94.82 -> 192.168.100.100 DNS 70 Standard query 0xcac3  ANY <Root>  3 0.007995000 10.218.240.123 -> 192.168.100.100 DNS 78 Standard query 0xe954  ANY isc.org  5 0.015241000 10.45.151.201 -> 192.168.100.100 DNS 93 Standard query 0xaef1  A rz2pywl02a.3fl.foo.com  6 0.015327000 192.168.100.100 -> 23.21.242.88 DNS 82 Standard query 0xa930  A rz2pywl02a.3fl.foo.com  7 0.037229000 10.118.140.194 -> 192.168.100.100 DNS 83 Standard query 0x1de2  A www1.foo.com  9 0.052719000 10.138.144.167 -> 192.168.100.100 DNS 70 Standard query 0xded3  ANY <Root> 11 0.073457000  10.19.2.156 -> 192.168.100.100 DNS 78 Standard query 0x08b4  ANY isc.org 13 0.109686000 10.127.199.236 -> 192.168.100.100 DNS 93 Standard query 0xed21  A o8hecnb4vr.5c4.foo.com 14 0.109761000 192.168.100.100 -> 23.21.242.88 DNS 82 Standard query 0x3342  A o8hecnb4vr.5c4.foo.com 15 0.117431000  10.85.47.43 -> 192.168.100.100 DNS 83 Standard query 0x08ca  A www1.foo.com 17 0.132922000 10.52.54.174 -> 192.168.100.100 DNS 70 Standard query 0x0769  ANY <Root>

DNS option

Questions: 1    Answer RRs: 0    Authority RRs: 0    Additional RRs: 1    Queries        isc.org: type ANY, class IN            Name: isc.org            Type: ANY (Request for all records)            Class: IN (0x0001)    Additional records        <Root>: type OPT            Name: <Root>            Type: OPT (EDNS0 option)            UDP payload size: 4096            Higher bits in extended RCODE: 0x0            EDNS0 version: 0            Z: 0x8000                Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)                Bits 1-15: 0x0 (reserved)            Data length: 0