adminze

Apr 282021
 

It is rather easy to verify if your servers are supporting recursive lookups, which under some circumstances may introduce issues. The easiest and most common way to do so would be nmap (and its dns-recursion script) to be honest:

nmap -sU -p 53 -A pdns.daloo.de

would for example result in the following output during the time of writing (watch out for the dns-recursion result)
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-28 18:50 CEST
Nmap scan report for pdns.daloo.de (173.212.220.241)
Host is up (0.019s latency).
rDNS record for 173.212.220.241: -

PORT STATE SERVICE VERSION
53/udp open domain dnsmasq 2.79test1-13-g8e8b2d6
| dns-nsid:
| id.server: resolver2
|_ bind.version: dnsmasq-2.79test1-13-g8e8b2d6
|_dns-recursion: Recursion appears to be enabled
Too many fingerprints match this host to give specific OS details

Technically the same can be done using Python Scapy to fork a more specific packet – for example when you want to spoof the source IP to hide your IP or set some other fancy flags (see scapy and DNS). DNS.rd sets (or unsets) the desired recursion. It is enabled by default. It can be disabled to check for cached entries for example (a neat attack during information gathering phase).
from scapy.all import *
import sys

if len(sys.argv) != 1:
  print sys.argv[1]
  # a normal lookup
  #spoofed_pkt = (IP(src="173.194.112.88",dst="8.8.8.8")/UDP(dport=53)/DNS(qd=DNSQR(qname="torproject.org"))
  # a reverse lookup
  spoofed_pkt = (IP(src="173.194.112.88",dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname=sys.argv[1]+".in-addr.arpa", qtype='PTR')))
  send(spoofed_pkt)