DNS Probing Module

[idealeer]

Help

Type xmap -4 -h -M dnsx -O json to show the help information.

This module sends out DNS queries and parses basic responses.
By default, the module performs an A record lookup for www.qq.com.
You can specify other queries using the --probe-args argument
in the form: label_type:input_src:type,query;type,query, e.g.,
raw:text:A,qq.com;NS,qq.com. The module supports
sending the the following types of queries: A, NS, CNAME, SOA, PTR,
MX, TXT, AAAA, RRSIG, ANY, SIG, SRV, DS, DNSKEY, TLSA, SVCB, HTTPS,
CAA, and HTTPSSVC. The module will accept and attempt
to parse all DNS responses. There is currently support for parsing
out full data from A, NS, CNAME, MX, TXT, and AAAA.
Query format: label_type:recurse:input_src:type,query;type,query
Any other types will be output in raw form.
 label_type: raw, str, time, random, dst-ip
  raw: do nothing to the query domain, e.g., qq.com
  str: add the 'str' subdomain www, e.g., www.qq.com
  time: add the s+μs subdomain, e.g., 1620027515-568043.qq.com
  random: add random subdomain lefzwnrq, e.g., lefzwnrq.qq.com
  dst-ip: add probe num + src ip, e.g., 1.1-2-3-4.qq.com
 recurse: recurse, no-recurse
  recurse: recursive query
  no-recurse: non-recursive query
 input_src: text, file
  text: like A,qq.com;AAAA,qq.com
  file: each line is like a text
 type: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG,
  SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVC
 query: A,qq.com;AAAA,qq.com
Examples:
 --probe-args="raw/time/random:recurse/no-recurse:text:type,query"
 --probe-args="raw/time/random:recurse/no-recurse:file:file_name"
 --probe-args="str:SomeText:recurse/no-recurse:text:type,query"
 --probe-args="str:SomeText:recurse/no-recurse:file:file_name"
 --probe-args="dst-ip:recurse/no-recurse:text:type,query"
 --probe-args="dst-ip:recurse/no-recurse:file:file_name"

Usage Examples

1. Query qq.com A targeting 8.8.8.8:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 1 --probe-args="raw:recurse:text:A,qq.com" -R 1000 -o result.txt 8.8.8.8

2. Query qq.com A and baidu.com NS targeting 8.8.8.8:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 2 --probe-args="raw:recurse:text:A,qq.com;NS,baidu.com" -R 1000 -o result.txt 8.8.8.8

3. Query each domain from a domain.txt targeting all IPs from a ip.txt:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P domain_number --probe-args="raw:recurse:file:domain.txt" -R 1000 -o result.txt -I ip.txt

Note: Each line in domain.txt is in the form like A,qq.com and -P domain_number = the number of domains.

[zhangbufan]

我想用这个工具，做一些DNS系统的漏洞自测，我发现你论文中提供的test.tudoor.net工具已经不能打开了

我该怎么用这个工具来构造包自测？

[idealeer]

tudoor的数据包构造是在权威服务器侧，这个使用python+scapy就可以了。

[nerotix]

@idealeer are these also the commands we can use to identify vulnerable DNS resolvers/auths? if not, can you show some examples of these commands?

[idealeer]

before scanning, what types of vulnerable resolvers do you want to find?

[Yifferpi]

Is there a way to find transparent resolvers using the dns module of xmap? By transparent resolver, I mean a forwarder that returns its upstreams answer to its client without changing the ip source address to its own, i.e. it leaks ingress IP address of its upstream resolver.
As far as I understand, xmap does not associate requests it sends out with the responses it receives due to performance reasons. I also don't think the IP address the request was originally sent to is recorded anywhere in the DNS questions or answers collected by the module.