sudo ncat -i1 -k -c "perl -e 'read(STDIN, \$dns_input, 2); \$dns_id = pack \"a2\", \$dns_input; print \"\$dns_id\x81\x83\x00\x00\x00\x00\x00\x00\x00\x00\";'" -u -vvvvvv -l 127.2.3.4 53
- A DNS request contains two random bytes at the beginning that have to appear in the first two bytes in the response.
- The DNS flags for an NXDOMAIN response are 0x81 0x83
- The rest of the bytes can be 0, which mostly means that we have zero other sections in our response
- The below example uses nmap-ncat, as found in Red Hat-based distributions, but can also be installed on Debian-based distributions (apt-get install ncat)
- -i1 causes connections to be discarded after 1 second of idle time (optional)
- -k means that we can accept more than one connection
- -c means that whatever we get from the other side of the connection gets piped to a perl process running in a shell process (maybe -e is the same in this case)
- -u means UDP (leaving this away should work if you do DNS over TCP)
- -vvvvvv means that we can see what’s happening (optional)
- -l means that we’re listening rather than sending, on 127.2.3.4, port 53
- read(STDIN, $dns_input, 2) # read exactly two bytes from STDIN
- $dns_id = pack “a2”, $dns_input # two bytes of arbitrary random data from $dns_input will be put into $dns_id
- print “$dns_id\x81\x83\x00\x00\x00\x00\x00\x00\x00\x00” # sends $dns_id, NXDOMAIN, and zeros as described above to the other side
- Note: I didn’t really test this beyond the proof-of-concept stage. If anything’s iffy, feel free to let me know.