Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS: Avoid spoofed Microsoft DNS Server, add Debian Buster #277

Merged
merged 1 commit into from
Jul 15, 2020
Merged

DNS: Avoid spoofed Microsoft DNS Server, add Debian Buster #277

merged 1 commit into from
Jul 15, 2020

Conversation

tsellers-r7
Copy link
Contributor

@tsellers-r7 tsellers-r7 commented Jul 15, 2020
edited
Loading

Description

This PR handles a spoofed DNS version bind response as well as adds coverage for Debian Buster.

The PR adds a fingerprint to assert nothing for a particular DNS version.bind response that claims to be Microsoft DNS server but isn't. The comment should explain the details. I tested using a quirk in how Microsoft handles version.bind queries. They respond to lowercase version.bind queries but not uppercase queries. Pretty much everyone else handles the query in a case insensitive way. I sampled the servers reporting Microsoft DNS 6.0.6100 (2AEF76E) and was unable to find one that was actually a Microsoft DNS server.

Actual Microsoft DNS server response:

$ dig chaos txt VERSION.BIND  @96.94.199.217

; <<>> DiG 9.10.6 <<>> chaos txt VERSION.BIND @96.94.199.217
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 34973
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;VERSION.BIND.			CH	TXT

;; Query time: 46 msec
;; SERVER: 96.94.199.217#53(96.94.199.217)
;; WHEN: Wed Jul 15 07:48:32 CDT 2020
;; MSG SIZE  rcvd: 41

Spoofed response

$ dig chaos txt VERSION.BIND  @72.232.237.212

; <<>> DiG 9.10.6 <<>> chaos txt VERSION.BIND @72.232.237.212
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43076
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;VERSION.BIND.			CH	TXT

;; ANSWER SECTION:
VERSION.BIND.		0	CH	TXT	"Microsoft DNS 6.0.6100 (2AEF76E)"

;; AUTHORITY SECTION:
VERSION.BIND.		0	CH	NS	VERSION.BIND.

;; Query time: 46 msec
;; SERVER: 72.232.237.212#53(72.232.237.212)
;; WHEN: Wed Jul 15 07:07:19 CDT 2020
;; MSG SIZE  rcvd: 100

image

Here's an article where that version string shows up: https://raymii.org/s/tutorials/Get_DNS_server_version_and_hide_it_in_BIND.html

Motivation and Context

Improved accuracy and coverage.

How Has This Been Tested?

rspec, local tests.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have updated the documentation accordingly (or changes are not required).
  • I have added tests to cover my changes (or new tests are not required).
  • All new and existing tests passed.

@tsellers-r7 tsellers-r7 requested review from gwiseman-r7, rkirk-r7, bcook-r7 and a user July 15, 2020 12:54
@tsellers-r7 tsellers-r7 merged commit cbece25 into rapid7:master Jul 15, 2020
@tsellers-r7 tsellers-r7 deleted the dns_avoid_fake_microsoft branch July 15, 2020 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rkirk-r7 rkirk-r7 rkirk-r7 approved these changes

@gwiseman-r7 gwiseman-r7 Awaiting requested review from gwiseman-r7

@bcook-r7 bcook-r7 Awaiting requested review from bcook-r7

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsellers-r7 @rkirk-r7