Project

General

Profile

Actions

Anomalie #1264

closed

DNS interne pour l'environnement de test

Added by Quentin CHERGUI about 11 years ago. Updated about 5 years ago.

Status:
Fermé
Priority:
Normale
Category:
Task
Target version:
Start date:
04/30/2013
Due date:
% Done:

100%

Estimated time:
Spent time:
Difficulté:
3 Moyen

Description

Lors de l'écriture des tests dans April-Ci, le problème de la résolutions des noms externes (comme april.org) dans l'environnement de test est apparu (par exemple, les scénarios Cucumber ont besoin d'avoir un FQDN indiqué).

Pour que ces noms externent pointent vers l'environnement de test, il faut un résolveur DNS interne qui fasse correspondre chaque nom externe à son équivalent dans l'environnement de test (en .novalocal).

  • each instance runs a spoof_dns instance that overrides some DNS entries
    fqdn2fqdn = {
        'foo.com': 'foo.me',
        'bar.com': 'bar.me',
    }
    
  • the spoof_dns forwards the novalocal zone to the OpenStack provided resolver found in the resolv.conf of the instance at boot time
  • the dhclient is configured to prepend unbound to /etc/resolv.conf so that it is always used as a resolveer
    /etc/dhcp/dhclient.conf:prepend domain-name-servers 127.0.0.1;
    
  • a script parses the manifest files and creates fqdn2fqdn entries to *.novalocal for each node name, using the spoof_dns syntax
  • when in a test environment (determined by the is_april_ci varilable found in the params file used to store password ) the april_ci_dns class is activated to run spoof_dns on the instance
Actions #1

Updated by Loïc Dachary about 11 years ago

nsswitch.conf n'est pas utilisable pour ça. L'option db pourrait servir pour les hosts mais c'est pratiquement jamais utilisé donc les chances pour que ça marche sont faibles.

Actions #3

Updated by Loïc Dachary about 11 years ago

# twistd -y dns.py
import socket
from twisted.internet.protocol import Factory, Protocol
from twisted.internet import reactor
from twisted.names import dns
from twisted.names import client, server
public2private = {
    'foo.com': 'foo.me',
    'bar.com': 'bar.me',
}
class DNSServerFactory(server.DNSServerFactory):
    def handleQuery(self, message, protocol, address):
        query = message.queries[0]
        if query.name.name in public2private:
            remapped = query.name.name
            query.name.name = public2private[query.name.name]
        else:
            remapped = False

        return self.resolver.query(query).addCallback(
            self.gotResolverResponse, remapped, protocol, message, address
            ).addErrback(
            self.gotResolverError, remapped, protocol, message, address
            )
    def gotResolverResponse(self, (ans, auth, add), remapped, protocol, message, address):
        if remapped:
            message.queries[0].name.name = remapped
            ans[0].name.name = remapped
        args = (self, (ans, auth, add), protocol, message, address)
        return server.DNSServerFactory.gotResolverResponse(*args)
    def gotResolverError(self, failure, remapped, protocol, message, address):
        if remapped:
            #type(message.queries[0].name.name)
            message.queries[0].name.name = remapped
        args = (self, failure, protocol, message, address)
        return server.DNSServerFactory.gotResolverError(*args)
verbosity = 0
resolver = client.Resolver(servers=[('8.8.8.8', 53)])
factory = DNSServerFactory(clients=[resolver], verbose=verbosity)
protocol = dns.DNSDatagramProtocol(factory)
factory.noisy = protocol.noisy = verbosity
reactor.listenUDP(53, protocol)
reactor.listenTCP(53, factory)
reactor.run()
Actions #4

Updated by Loïc Dachary about 11 years ago

Ettercap is a comprehensive suite for man in the middle attacks est peut être exactement ce dont on a besoin. A tout les point de vues on a les même problèmes, juste pour des objectifs différents. Le seul problème c'est que ça ne permet pas non plus de remapper un FQDN dans un autre FQDN, comme l'explique le fichier de configuration du module dns_spoof

Actions #5

Updated by Loïc Dachary about 11 years ago

@quentin : "#FIXME : il manque un gotResolverError pour éviter les "Question section mismatch" quand le nom n'existe pas." je ne comprend pas comment reproduire ce problem ?

Actions #6

Updated by Quentin CHERGUI about 11 years ago

Pour reproduire le "Question section mismatch" :
1) Ajouter un alias vers un nom n'existant pas (par exemple www.april.org => thisnamedontexist.example.novalocal)
2) Interroger le serveur DNS (avec dig par exemple). La question est interceptée, réécrite, une tentative de résolution se fait, mais elle revient en erreur (logique). La réponse étant une erreur (NXDOMAIN), elle n'est pas interceptée par gotResolverResponse et n'est pas réécrite.
3) Dig reçoit une réponse a une question qu'il n'a pas posé, et il n'aime pas ça. Il retente la requête plusieurs fois (6 chez moi), puis il abandonne. Au final, on doit perdre une 20aine de secondes.

Solution : redéfinir gotResolverError de la même manière que l'on a redéfini gotResolverResponse, pour obtenir un NXDOMAIN avec la question posée initialement.

Actions #8

Updated by Loïc Dachary about 11 years ago

  • Target version changed from Avril 2013 to Mai 2013
Actions #9

Updated by Loïc Dachary about 11 years ago

DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts

 sudo python dnschef.py --fakedomains=foo.com --fakealias=foo.me
          _                _          __  
         | | version 0.2  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   iphelix@thesprawl.org  
[!] You have forgotten to specify which IP to use for fake responses

it's designed to intercept about everything and redirect to another domain.

Actions #10

Updated by Loïc Dachary about 11 years ago

dnsspoof is restricted to IPs and not domain names

Actions #11

Updated by Loïc Dachary about 11 years ago

The

stocks.yahoo.com    CNAME    www.google.com.

example from How to configure your BIND resolvers to lie using Response Policy Zones does exactly what we need. The only file to create is the RPZ zone file, including one line per rewrite, such as:
april.org CNAME april.novalocal
spip.libre-en-fete.org CNAME libre-en-fete.novalocal

It will probably make sense to setup bind as a separate instance because RPZ is only implemented in bind9 >= 9.8.0 and squeeze has a lower version.

Actions #12

Updated by Loïc Dachary about 11 years ago

  • % Done changed from 0 to 70
Actions #13

Updated by Quentin CHERGUI about 11 years ago

DNS RPZ successfully tested on Bind 9.8 on Debian Wheezy.
(Bind 9.8 is backported on Debian Squeeze)

Actions #15

Updated by Loïc Dachary about 11 years ago

les tests de generate_rpz_zone ne fonctionnent pas

+ set -o functrace
+ PS4=' ${FUNCNAME[0]}: $LINENO: '
 : 117: test_nodes2unbound
 test_nodes2unbound: 103: nodes='foo.bar foo.novalocal
tia.bar tia.novalocal tia.april.org'
 test_nodes2unbound: 106: expected='local-data: "foo.bar IN CNAME foo.novalocal" 
local-data: "tia.bar IN CNAME tia.novalocal" 
local-data: "tia.april.org IN CNAME tia.novalocal"'
  test_nodes2unbound: 108: echo 'foo.bar foo.novalocal
tia.bar tia.novalocal tia.april.org'
  test_nodes2unbound: 108: nodes2unbound
  nodes2unbound: 42: read nodes
  nodes2unbound: 44: for node in '$nodes'
  nodes2unbound: 46: echo foo.bar
  nodes2unbound: 46: grep '.novalocal$'
  nodes2unbound: 44: for node in '$nodes'
  nodes2unbound: 46: echo foo.novalocal
  nodes2unbound: 46: grep '.novalocal$'
  nodes2unbound: 48: mainname=foo.novalocal
  nodes2unbound: 51: for node in '$nodes'
  nodes2unbound: 53: '[' foo.bar '!=' foo.novalocal ']'
  nodes2unbound: 59: echo 'foo.bar IN CNAME foo.novalocal.'
  nodes2unbound: 51: for node in '$nodes'
  nodes2unbound: 53: '[' foo.novalocal '!=' foo.novalocal ']'
  nodes2unbound: 42: read nodes
  nodes2unbound: 44: for node in '$nodes'
  nodes2unbound: 46: echo tia.bar
  nodes2unbound: 46: grep '.novalocal$'
  nodes2unbound: 44: for node in '$nodes'
  nodes2unbound: 46: echo tia.novalocal
  nodes2unbound: 46: grep '.novalocal$'
  nodes2unbound: 48: mainname=tia.novalocal
  nodes2unbound: 44: for node in '$nodes'
  nodes2unbound: 46: echo tia.april.org
  nodes2unbound: 46: grep '.novalocal$'
  nodes2unbound: 51: for node in '$nodes'
  nodes2unbound: 53: '[' tia.bar '!=' tia.novalocal ']'
  nodes2unbound: 59: echo 'tia.bar IN CNAME tia.novalocal.'
  nodes2unbound: 51: for node in '$nodes'
  nodes2unbound: 53: '[' tia.novalocal '!=' tia.novalocal ']'
  nodes2unbound: 51: for node in '$nodes'
  nodes2unbound: 53: '[' tia.april.org '!=' tia.novalocal ']'
  nodes2unbound: 59: echo 'tia.april.org IN CNAME tia.novalocal.'
  nodes2unbound: 42: read nodes
 test_nodes2unbound: 108: output='foo.bar IN CNAME foo.novalocal.
tia.bar IN CNAME tia.novalocal.
tia.april.org IN CNAME tia.novalocal.'
 test_nodes2unbound: 109: '[' '!' 'foo.bar IN CNAME foo.novalocal.
tia.bar IN CNAME tia.novalocal.
tia.april.org IN CNAME tia.novalocal.' = 'local-data: "foo.bar IN CNAME foo.novalocal" 
local-data: "tia.bar IN CNAME tia.novalocal" 
local-data: "tia.april.org IN CNAME tia.novalocal"' ']'
 test_nodes2unbound: 111: echo 'Error : foo.bar IN CNAME foo.novalocal.
tia.bar IN CNAME tia.novalocal.
tia.april.org IN CNAME tia.novalocal. instead of local-data: "foo.bar IN CNAME foo.novalocal" 
local-data: "tia.bar IN CNAME tia.novalocal" 
local-data: "tia.april.org IN CNAME tia.novalocal"'
Error : foo.bar IN CNAME foo.novalocal.
tia.bar IN CNAME tia.novalocal.
tia.april.org IN CNAME tia.novalocal. instead of local-data: "foo.bar IN CNAME foo.novalocal" 
local-data: "tia.bar IN CNAME tia.novalocal" 
local-data: "tia.april.org IN CNAME tia.novalocal" 
 test_nodes2unbound: 112: return 2
 : 117: exit 1

Actions #16

Updated by Loïc Dachary about 11 years ago

Je pense qu'il serait plus simple dans change-resolver.sh de se contenter de décommenter / substituer la ligne "prepend domain-name-servers 127.0.0.1;" qui existe déjà dans le fichier par défaut, au lieu d'utiliser un template.

Actions #17

Updated by Loïc Dachary about 11 years ago

Il serait mieux de mettre 512MB de RAM

Actions #18

Updated by Quentin CHERGUI about 11 years ago

  • Target version changed from Mai 2013 to Juin 2013
  • % Done changed from 70 to 90
Reste à faire :
  • changer les tests
  • Corriger setupdns pour qu'il ne démarre la VM que si elle est déjà démarrée
Actions #19

Updated by Quentin CHERGUI about 11 years ago

  • Status changed from En cours de traitement to Résolu
  • % Done changed from 90 to 100

Les tests sont bon, le module est terminé.

Actions #20

Updated by Quentin Gibeaux about 5 years ago

  • Status changed from Résolu to Fermé
Actions

Also available in: Atom PDF