Detection via DNS instead of HTTP

Question

Detection via DNS instead of HTTP

konklone opened this issue 7 years ago · 6 comments

Given a hostname to check, it should be possible to check for CNAMEs or A records and compare them to known destinations for the third party.

This should be strictly faster than HTTP (since HTTP requests require DNS resolution anyway), and potentially more reliable over time (as the text signatures are more likely to change than long-term CNAME destinations).

Answer 1 · 2017-11-25T00:50:07.000Z

I should end with a question -- is my assessment accurate? Any interest in taking the tool in this direction?

Answer 2 · 2017-11-27T23:50:11.000Z

Thanks for the suggestion.

Minimizing the amount of HTTP requests would increase performance. I'll take this into consideration for the next update.

Answer 3 · 2017-11-28T05:09:16.000Z

After thinking about it for another minute, I realized that as stated my proposal is wrong, as checking the DNS records alone only tells if the host is pointed at a third party, not whether it's hijackable. But yes, maybe you could use it as a triage step to avoid making a subsequent HTTP request for hosts whose DNS isn't pointed at a known third party.

Answer 4 · 2017-11-28T17:54:05.000Z

Yeah that's what I had in mind after reading your proposal. It could also be the solution I need to get rid of those pesky timeout errors. Will start working on this when I have the time.

Answer 5 · 2017-12-10T19:54:11.000Z

Tested both versions of subjack with a wordlist of 2000 URLs at 100 threads each.

Version 1

real 1m16.987s
user 0m6.880s
sys 0m1.807s

Version 2 update (with Detection via DNS)

real 0m1.277s
user 0m0.403s
sys 0m0.250s

It's a lot faster, thanks.

Answer 6 · 2017-12-11T03:35:17.000Z

Very nice!