BIND 9.10 dig tool support EDNS client subnet

Seen from release notes of BIND 9.10, dig tool included in BIND 9.10 supports EDNS client subnet.

Before BIND 9.10, we need to apply a patch to use EDNS client subnet with dig.

README

- "dig +subnet" sends an EDNS CLIENT-SUBNET option when           querying.

build BIND 9.10 on Ubuntu 14.04.

# tail -1 /etc/lsb-release DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS" # apt-get install build-essential libssl-dev # tar xzvf bind-9.10.0-P1.tar.gz # cd bind-9.10.0-P1 # ./configure # make # make install # /usr/local/bin/dig -v DiG 9.10.0-P1 # /usr/local/bin/dig -h | grep subnet                 +subnet=addr        (Set edns-client-subnet option)

Google public DNS support EDNS client subnet, send DNS queries to Google Public DNS.

You can send EDNS client subnet queries with +subnet option.

# /usr/local/bin/dig @8.8.8.8 +subnet=1.0.16.0 www.google.com +short 173.194.38.18 173.194.38.16 173.194.38.19 173.194.38.20 173.194.38.17 # /usr/local/bin/dig @8.8.8.8 +subnet=3.0.0.0 www.google.com +short 74.125.226.210 74.125.226.211 74.125.226.208 74.125.226.212 74.125.226.209

How to send EDNS client subnet queries with dig, nmap

reference

http://tools.ietf.org/search/draft-vandergaast-edns-client-subnet-02

# tail -1 /etc/lsb-release ;uname -ri DISTRIB_DESCRIPTION="Ubuntu 13.04" 3.8.0-35-generic x86_64

[ dig client subnet ]

To use client subnet with dig, you need to apply a patch file.

download the patch file from http://wilmer.gaa.st/edns-client-subnet/.

# wget wilmer.gaa.st/edns-client-subnet/bind-9.9.3-dig-edns-client-subnet-iana.diff

download bind9.9.3-P2, apply the patch and compile.

# wget www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/9.9.3/bind-9.9.3.tar.gz # tar xzvf bind-9.9.3.tar.gz # cp bind-9.9.3-dig-edns-client-subnet-iana.diff bind-9.9.3 # cd bind-9.9.3/ # patch -p0 < bind-9.9.3-dig-ed ns-client-subnet-iana.diff patching file bin/dig/dig.c patching file bin/dig/dighost.c patching file bin/dig/include/dig/dig.h patching file lib/dns/include/dns/message.h patching file lib/dns/message.c # ./configure # make # make install

Google public DNS supports client subnet.

So let’s check the client subnet behavior by sending a query to Google DNS.

# /usr/local/bin/dig @8.8.8.8 www.google.com +client=59.155.255.200 +short 74.125.128.105 74.125.128.99 74.125.128.103 74.125.128.106 74.125.128.104 74.125.128.147

# /usr/local/bin/dig @8.8.8.8 www.google.com +client=70.155.255.2 00 +short 173.194.37.19 173.194.37.17 173.194.37.18 173.194.37.20 173.194.37.16

[ namp ]

# git clone https://github.com/nmap/nmap.git # cd nmap # ./configure # make # make install # /usr/local/bin/nmap -version Nmap version 6.41SVN ( http://nmap.org ) Platform: x86_64-unknown-linux-gnu Compiled with: nmap-liblua-5.2.3 openssl-1.0.1c nmap-libpcre-7.6 libpcap-1.3.0 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: epoll poll select # ls scripts/dns-* scripts/dns-blacklist.nse           scripts/dns-nsid.nse scripts/dns-brute.nse               scripts/dns-random-srcport.nse scripts/dns-cache-snoop.nse         scripts/dns-random-txid.nse scripts/dns-check-zone.nse          scripts/dns-recursion.nse scripts/dns-client-subnet-scan.nse  scripts/dns-service-discovery.nse scripts/dns-fuzz.nse                scripts/dns-srv-enum.nse scripts/dns-ip6-arpa-scan.nse       scripts/dns-update.nse scripts/dns-nsec-enum.nse           scripts/dns-zeustracker.nse scripts/dns-nsec3-enum.nse          scripts/dns-zone-transfer.nse

Usage of this script

--- -- @usage --   nmap -sU -p 53 --script dns-client-subnet-scan  --script-args \ --     dns-client-subnet-scan.domain=www.example.com, \ --     dns-client-subnet-scan.address=192.168.0.1 \ --     [,dns-client-subnet.nameserver=8.8.8.8] \ --     [,dns-client-subnet.mask=24] <target> --   nmap --script dns-client-subnet-scan --script-args \ --     dns-client-subnet-scan.domain=www.example.com, \ --     dns-client-subnet-scan.address=192.168.0.1 \ --     dns-client-subnet.nameserver=8.8.8.8, \ --     [,dns-client-subnet.mask=24] -- -

from Japan

# /usr/local/bin/nmap -sU -p 53 --script dns-client-subnet-scan --script-args dns-client-subnet-scan.domain=www.google.com,dns-client-subnet-scan.address=103.240.252.0,dns-client-subnet.nameserver=8.8.8.8 8.8.8.8 Nmap scan report for google-public-dns-a.google.com (8.8.8.8) Host is up (0.038s latency). PORT   STATE         SERVICE 53/udp open|filtered domain | dns-client-subnet-scan: | www.google.com |   74.125.235.208 |   74.125.235.209 |   74.125.235.210 |   74.125.235.211 |_  74.125.235.212 Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

from Republic of Ghana

# /usr/local/bin/nmap -sU -p 53 --script dns-client-subnet-scan --script-args dns-client-subnet-scan.domain=www.google.com,dns-client-subnet-scan.address=41.242.112.0, dns-client-subnet.nameserver=8.8.8.8 8.8.8.8 Nmap scan report for google-public-dns-a.google.com (8.8.8.8) Host is up (0.043s latency). PORT   STATE         SERVICE 53/udp open|filtered domain | dns-client-subnet-scan: | www.google.com |   173.194.41.208 |   173.194.41.209 |   173.194.41.210 |   173.194.41.211 |_  173.194.41.212 Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds

Fedora 20: gather information about a domain with dnsenum

http://code.google.com/p/dnsenum/

dnsenum is a tool to collect DNS information, such as, A, NS, whois etc

In case of Fedora20, you can install dnsenum via yum.

# cat /etc/fedora-release ;uname -ri Fedora release 20 (Heisenbug) 3.12.7-300.fc20.x86_64 x86_64

install

# yum install -y dnsenum.noarch

To check the usage, please type “dnsenum –help”

# dnsenum --help dnsenum.pl VERSION:1.2 Usage: dnsenum.pl [Options] <domain> [Options]: Note: the brute force -f switch must be specified to be able to continue the process execution. GENERAL OPTIONS:  --dnsserver   <server>                        Use this DNS server for A, NS and MX queries.  --enum                Shortcut option equivalent to --threads 5 -s 20 -w.  -h, --help            Print this help message.  --noreverse           Skip the reverse lookup operations.

Here are sample usages.

needs Net::WhoisIP module to get whois information.

# dnsenum -r -d 3 -w -r --dnsserver 192.168.0.100 isc.org dnsenum.pl VERSION:1.2 Warning: can't load Net::Whois::IP module, whois queries desabled. -----   isc.org   ----- ----------------- Host's addresses: ----------------- isc.org.       49      IN      A       149.20.64.69 ------------- Name servers: -------------  ns.isc.afilias-nst.info.      86151   IN      A       199.254.63.254  sfba.sns-pb.isc.org.  6951    IN      A       149.20.64.3  ord.sns-pb.isc.org.   6951    IN      A       199.6.0.30  ams.sns-pb.isc.org.   6951    IN      A       199.6.1.30 ----------- MX record: -----------  mx.pao1.isc.org.      3352    IN      A       149.20.64.53  mx.ams1.isc.org.      3352    IN      A       199.6.1.65 --------------------- Trying Zonetransfers: --------------------- trying zonetransfer for isc.org on ns.isc.afilias-nst.info ... trying zonetransfer for isc.org on sfba.sns-pb.isc.org ... trying zonetransfer for isc.org on ord.sns-pb.isc.org ... trying zonetransfer for isc.org on ams.sns-pb.isc.org ... brute force file not specified, bay.

install Net::WhoisIP via yum

# yum install -y perl-Net-Whois-IP

try again.

# dnsenum -r -d 3 -w -r --dnsserver 192.168.0.100 isc.org -v dnsenum.pl VERSION:1.2 -----   isc.org   ----- ----------------- Host's addresses: ----------------- isc.org.       21      IN      A       149.20.64.69 ------------- Name servers: -------------  sfba.sns-pb.isc.org.  6770    IN      A       149.20.64.3  ams.sns-pb.isc.org.   6770    IN      A       199.6.1.30  ns.isc.afilias-nst.info.      85970   IN      A       199.254.63.254  ord.sns-pb.isc.org.   6770    IN      A       199.6.0.30 ----------- MX record: -----------  mx.pao1.isc.org.      3171    IN      A       149.20.64.53  mx.ams1.isc.org.      3171    IN      A       199.6.1.65 --------------------- Trying Zonetransfers: --------------------- trying zonetransfer for isc.org on sfba.sns-pb.isc.org ...  AXFR record query failed: Response code from server: REFUSED trying zonetransfer for isc.org on ams.sns-pb.isc.org ...  AXFR record query failed: Response code from server: REFUSED trying zonetransfer for isc.org on ns.isc.afilias-nst.info ...  AXFR record query failed: Response code from server: REFUSED trying zonetransfer for isc.org on ord.sns-pb.isc.org ...  AXFR record query failed: Response code from server: REFUSED ---------------- Wildcards test: ---------------- good brute force file not specified, bay.