Zodiac - DNS protocol monitoring and spoofing program

Authors: scut / teso
smiler / teso

Version: 0.4.9

Description: Zodiac is a DNS protocol analyzation and exploitation program. It is a robust tool to explore the DNS protocol. Internally it contains advanced DNS routines for DNS packet construction and disassembling and is the optimal tool if you just want to try something out without undergoing the hassle to rewrite DNS packet routines or packet filtering.


Completed sniffing on all kinds of configured devices (Ethernet, PPP, ...)
Completed capturing and decoding nearly all types of DNS packets, including packet decompression
Completed ncurses driven text based frontend with interactive commandline and multiple windows
Completed threaded design allow more flexibility when adding your own features
Completed clean code, commented and tested just fine, ready for you to extend :-)
Completed internal DNS packet filtering allows installation of pseudo DNS filters you can "select()" on
Completed a large set of DNS packet construction primitives
Completed DNS name server versioning using BIND version requests
Completed DNS local spoofing, answering DNS queries on your LAN before the remote NS
Completed DNS jizz spoofing, exploiting a weakness within old BIND versions
Completed DNS ID spoofing, exploiting a weakness within the DNS protocol itself
Missing DNS DoS attacks, probably won't be done by us cause it's just too lame
Missing DNS amplification attacks, such as query-multiply or answer-size attacks
Missing DNS traceroute, chained DNS route discovery (see TESO advisory #003)
Missing DNS exploitation of buffer overflows in some BIND versions (see t666.c/nxt.tgz)
Missing DNS compression attacks against numerous sniffing programs (tcpdump, ethereal, see zlip.c)
Missing DNS SOA record decoding, I'm too lazy
Missing DNS mass functions, such as mass resolve (any query type), mass versioning, etc.
Missing DNS "collect servers" function, where zodiac tries passivly and activly to obtain as much nameserver IP addresses as possible just from watching and reacting to local DNS traffic

If you like to help out getting the Missing or Incomplete features into zodiac, you can mail us for any zodiac-internal question you might have, we are happy to help you out with any DNS/Zodiac question. The code is pretty easy to understand, if you code your own extensions please try to maintain the current readable style and comment your changes/code. Thanks ! :-)

Zodiac has been developed and tested on the Linux 2.2.x platform. It should work on all platforms that do have POSIX Threads, the terminal library ncurses and the libpcap packet capture library installed. To run zodiac you need root access for obvious reasons. If you get zodiac compiled and working on another platform then Linux 2.2.x, please let us know, we'll mention it here.

Download: zodiac-0.4.9.tar.gz