scapy: send ANY queries by enabling EDNS0

It seems that we can craft EDNS0 queries by using developer branch.

http://bb.secdev.org/scapy/wiki/Home

install scapy dev.

# tail -1 /etc/lsb-release ;uname -ri DISTRIB_DESCRIPTION="Ubuntu 12.04.3 LTS" 3.2.0-58-virtual x86_64 # apt-get install mercurial # hg clone http://bb.secdev.org/scapy # cd scapy/

Seen from the python script(dns.py), there are EDNS0 related options.

# less -N scapy/layers/dns.py    273 # RFC 2671 - Extension Mechanisms for DNS (EDNS0)    274    275 class EDNS0TLV(Packet):eld):    276     name = "DNS EDNS0 TLV"    277     fields_desc = [ ShortEnumField("optcode", 0, { 0: "Reserved", 1: "LL    277 Q", 2: "UL", 3: "NSID", 4: "Reserved", 5: "PING" }),    278                     FieldLenField("optlen", None, "optdata", fmt="H"),    279                     StrLenField("optdata", "", length_from=lambda pkt: p    279 kt.optlen) ]    280    281     def extract_padding(self, p):    282         return "", p    283    284 class DNSRROPT(Packet):    285     name = "DNS OPT Resource Record"    286     fields_desc = [ DNSStrField("rrname",""),    287                     ShortEnumField("type", 41, dnstypes),    288                     ShortField("rclass", 4096),    289                     ByteField("extrcode", 0),    290                     ByteField("version", 0),    291                     # version 0 means EDNS0    292                     BitEnumField("z", 32768, 16, { 32768: "D0" }),    293                     # D0 means DNSSEC OK from RFC 3225    294                     FieldLenField("rdlen", None, length_of="rdata", fmt=    294 "H"),    295                     PacketListField("rdata", [], EDNS0TLV, length_from=l    295 ambda pkt: pkt.rdlen) ]

How can I craft EDNS0 queries?

Let’s check capture data with scapy.

# dig @192.168.100.11 isc.org any +bufsize=3000 # ./run_scapy INFO: Can't import python gnuplot wrapper . Won't be able to plot. INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) INFO: Can't import python Crypto lib. Won't be able to decrypt WEP. INFO: Can't import python Crypto lib. Disabled certificate manipulation tools Welcome to Scapy (2.2.0-dev) >>> a=rdpcap("aa.pcap") WARNING: DNS RR prematured end (ofs=1515, len=1460) >>> a[0] <Ether  dst=fe:54:00:45:42:c6 src=52:54:00:45:42:c6 type=0x800 |<IP  version=4L ihl=5L tos=0x0 len=64 id=28446 flags= frag=0L ttl=64 proto=udp chksum=0x57a src=192.168.122.185 dst=192.168.100.11 options=[] |<UDP  sport=13695 dport=domain len=44 chksum=0x653 |<DNS  id=57344 qr=0L opcode=QUERY aa=0L tc=0L rd=1L ra=0L z=0L ad=0L cd=0L rcode=ok qdcount=1 ancount=0 nscount=0 arcount=1 qd=<DNSQR  qname='isc.org.' qtype=ALL qclass=IN |> an=None ns=None ar=<DNSRROPT  rrname='.' type=OPT rclass=3000 extrcode=0 version=0 z=0L rdlen=0 |> |>>>>

qtype=ALL is ANY

rdcass=3000 is edns0 buf size.

How about this?

>>> ans=sr(IP(dst="192.168.100.11")/UDP(sport=RandShort(),dport=53)/DNS(qd=DNSQR(qname="isc.org",qtype="ALL",qclass="IN"),ar=DNSRROPT(rclass=3000))) Begin emission: ...Finished to send 1 packets. .WARNING: DNS RR prematured end (ofs=1515, len=1460) * Received 13 packets, got 1 answers, remaining 0 packets

Okay, I was able to craft EDNS0 ANY queries.

cap date collected on the target DNS server.

Questions: 1    Answer RRs: 0    Authority RRs: 0    Additional RRs: 1    Queries        isc.org: type ANY, class IN            Name: isc.org            Type: ANY (Request for all records)            Class: IN (0x0001)    Additional records        <Root>: type OPT            Name: <Root>            Type: OPT (EDNS0 option)            UDP payload size: 3000            Higher bits in extended RCODE: 0x0            EDNS0 version: 0            Z: 0x8000                Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)                Bits 1-15: 0x0 (reserved)            Data length: 0