DoNotSend - hacking the DNS protocol

Works on Windows and Linux

The DNS protocol is conventionally used to ask for the IP address of a given website. Here it's used to send messages and retrieve other messages, instead of asking for a website IP address and retrieving its IP address.

Disclaimer

This tool can be used to send messages by exploiting a flaw in the DNS protocol, but it could be used (as someone pointed out in the reddit thread) to exfiltrate data from a network. I'm not responsible for any misuse of the project. Also note that it's most likely that your ISP is logging your DNS queries, thus it's not a 100% anonymous.

Setup

• Python >= 3.7
• Scapy >= 2.4
  • if it isn't installed alongside scapy:
    • libpcap
• venv
  • Sometimes the wheel module is needed as well

apt install python3-venv
python3 -m venv venv/
source venv/bin/activate

pip3 install scapy
# if it fails because it couldn't build the wheel:
pip3 uninstall scapy && pip3 install wheel && pip3 install scapy

cd src
# nota: run as admin because it's binding on + sniffing port 53:
python3 server.py "interface" "host name"
# or you can start it with a configuration file:
python3 server.py config.ini
# if it complains about libpcap not installed, then:
apt install libpcap0.8-dev

client

We can include arbitrary data in the hostname which the server then can interpret and execute/relay. Thus we put our data in the qname section of the query, encoded using base32, without the padding (we can easily recalculate it).

The queries sent are TXT DNS queries, otherwise (because we answer with TXT DNS replies) the replies will get lost/deleted when transmitted by peers (yes you read correctly, Google can ask the DNS if it knows crafted-domain.my_dns.domain.example.com).

python3 client.py [my_dns.domain.example.com] "message here"

If no message is given, hello world is sent.

You can also use the client.sh version, relying only on dig, base32 and base64, instead of using scapy.

server

It receives queries and read the wanted "fake" hostname, decode the data put in the hostname as base32.

Then it replies through a DNS TXT reply, where the data is encoded as base64 without padding.

Running the server

cd src
# needs to run as root because it is binding port 53
python3 server.py [interface, for example eth0 on linux] [my_dns.domain.example.com]

Having other big DNS relay your queries and answers

In a few steps I was able to configure my NS provider to set myself up as my own DNS, to get to reply to the weird domains I need to communicate.

For this examples, let's say my server is named example.com.

1. I added a A entry for dns.example.com, pointing to my server ip here
2. In the DNS servers configuration, I already had ns1.provider.com, I added myself as a DNS server: dns.example.com, pointing to my server ip here
3. Then, just wait a bit (can be as long as 48 hours) and you're good to go

Now I just have to tell my client scripts to use the domain dns.example.com to send messages to it and it works like a charm, even when asking Google about it!

Documentation

• DNS packet structure
• Design choices

Code structure