problem getting rebinding to work
Closed this issue · 5 comments
Hi,
I've followed all the instructions from the wiki, and I managed to get the server running.
Now, the issue I've been facing is that issuing host to d.mydomain.tk keeps getting me my ip address instead of expected my ip address and 127.0.0.1 , and testing your demo version I see that this(my example):
s-my.ip.add.ress-127.0.0.1-158903359-ma-e.d.mydomain.tk should resolve to both my ip address and 127.0.0.1 in different order with each request as in rebinding in action, but instead
Host s-my.ip.add.ress-127.0.0.1-158903359-ma-e.d.mydomain.tk not found: 2(SERVFAIL)
I am using digitalocean vps so I was wondering if that may be the cause.
My setup is as follows (note that for NS rebinder.mydomain.tk can't be saved with the ending . for some reason, and I have been messing around with TTL values to see if that would help somehow):
A | *.mydomain.tk | directs to 206.189.179.65 | 30 TTL
A | rebinder.mydomain.tk | directs to 206.189.179.65 | 30 TTL
NS | dynamic.mydomain.tk | directs to rebinder.mydomain.tk | 60 TTL
NS | mydomain.tk | directs to ns1.digitalocean.com. 1800 TTL
NS | mydomain.tk | directs to ns2.digitalocean.com. 1800 TTL
NS | mydomain.tk | directs to ns3.digitalocean.com. 1800 TTL
The other issue is that issuing:
host dynamic.mydomain.tk
also fails
but issuing:
host rebinder.mydomain.tk
my.ip.add.ress
And I have tried this as well in order to verify if it's working as it's supposed to (from https://github.com/nccgroup/singularity/wiki/Setup-and-Installation#on-the-dns-registrar-web-management-interface):
This sample setup informs DNS clients, including browsers, that "ip.ad.dr.ss" answers queries for any subdomains under ".dynamic.your.domain.", e.g. "foo.dynamic.your.domain."
but it fails.
I have also had trouble figuring out this(from https://github.com/nccgroup/singularity/wiki/Setup-and-Installation#on-the-dns-registrar-web-management-interface):
A Name: "rebinder", IPv4: "ip.ad.dr.ss". -- ok, this makes sense, it's very straightforward.
NS Name: "dynamic", Hostname: "rebinder.your.domain.". Note that the ending dot "." in the hostname is required. -- this one is confusing when looked at the:
https://cloud.digitalocean.com/networking/domains/mydomain.tk
where there is NS area, but it looks like this:
Field 1 asks for @ (which simply leaves the value mydomain.tk) or to specify hostname (which expects one word and then it saves it as oneword.mydomain.tk) and the second field is Directs to which expects my.ip.add.ress or a complete hostname (ie rebinder.mydomain.tk.) and for some hostnames/ip addresses it saves with . at the end automatically and for others it removes the added dot (.)
So, I've been trying to direct things all over the place to get it working but the most I got was everything resolving to only my.ip.add.ress instead of going between my.ip.add.ress and 127.0.0.1 as it's supposed to.
This is a lot to ask, but I've tried other rebinding frameworks that flat out don't work and they don't require any dns configuration so I have no idea what to do with those or what questions to ask, so I'd appreciate any pointer in the right direction for dns configuring that pertains to dns rebinding, googling anything about dns rebinding tends to show theory or tools without links to tools, or tools don't work but sound great with regards to not requiring any setup other than editing a js or html file.
Thanks for the effort in making this framework and hopefully my question has a simple and quick answer :)
Sincerely,
@musashi42
s-my.ip.add.ress-127.0.0.1-158903359-ma-e.d.mydomain.tk
- Did you replace "my.ip.add.ress" with 206.189.179.65?
- Please change "ma" to "fs" for now
- are you using "d.mydomain.tk" or "dynamic.mydomain.tk"? It seems that you have configured "dynamic.mydomain.tk" but not "d.mydomain.tk" in Digital Ocean DNS settings?
Do you actually own mydomain.tk or is this a sample domain name? Would you mind providing the real domain name so it would be easier to investigate?
host dynamic.mydomain.tk
also fails
I suspect this is the core issue.
I've looked at https://www.digitalocean.com/docs/networking/dns/how-to/manage-records/ . Try the following in your Digital Ocean DNS console:
hostname: "dynamic", will resolve to: "rebinder.mydomain.tk".
(or hostname: "d", will resolve to: "rebinder.mydomain.tk", if you are using "d.mydomain.tk".
Hi @gdncc ,
Thanks for reaching out. So far I'm only getting rebinder.bugster.tk to resolve.
Here's the screenshot of my dns page to avoid confusion with messy translation into text.
rebinder.bugster.tk resolves to (when issuing host on linux):
rebinder.bugster.tk is an alias for bugster.tk.
bugster.tk has address 206.189.179.65
and dynamic.bugster.tk:
Host dynamic.bugster.tk not found: 2(SERVFAIL)
Hope the screenshot better illustrates where I'm at.
I tried creating A record with dynamic to direct to rebinder.bugster.tk but I got Not Found, it only allowed for ip address.
Thank you again for looking into this.
Sincerely,
@musashi42
As far as I can tell, your Digital Ocean DNS setup is correct.
- The following DNS query tried to reach your Singularity server but it is probably not running or UDP port 53 is firewalled?
- Maybe it took a while for your Digital Ocean setup to become active?
- Is your Linux host running
systemd-resolved? If yes:- check https://github.com/nccgroup/singularity/wiki/Setup-and-Installation#run to disable
- or run Singularity with
-DNSServerBindAddr 206.189.179.65so it does not conflict with any local DNS server on your Linux host.
; <<>> DiG 9.10.6 <<>> +trace s-206.189.179.65-127.0.0.1-1-fs-e.dynamic.bugster.tk
;; global options: +cmd
. 12481 IN NS a.root-servers.net.
. 12481 IN NS b.root-servers.net.
. 12481 IN NS c.root-servers.net.
. 12481 IN NS d.root-servers.net.
. 12481 IN NS e.root-servers.net.
. 12481 IN NS f.root-servers.net.
. 12481 IN NS g.root-servers.net.
. 12481 IN NS h.root-servers.net.
. 12481 IN NS i.root-servers.net.
. 12481 IN NS j.root-servers.net.
. 12481 IN NS k.root-servers.net.
. 12481 IN NS l.root-servers.net.
. 12481 IN NS m.root-servers.net.
. 12481 IN RRSIG NS 8 0 518400 20200214020000 20200201010000 33853 . Ag0+3AtFA5c5F44XqRyPRbRylbmJOpmODAQPNX7haqG4ZX7u356ouGLn SQOyi+n5VlkzIis69aJFRM/mvYiZMkZ1hPqUOaemwpyFRpwS6up1K75m 2yUlwmRfHglAImPvpLi7gYiR5gq8cxVAD0x6l16YCbkY9rpTcEMV84dm fXnLKz/V8yDOi1R1b5963Vrz4ulI3VOBoa8gJ82ggGh4jLcyaaHX5gB2 i1KR1b3WJwtPdlOlV5MAnyxOZjm6OBnH96mG1cL7KBRNRddttM+icZbz P0ILRG7o91xe9x8E3qIAJ9aabxH9CFPxhmTbcWz8TjtGZIgxipYY4G7A vtuWFg==
;; Received 525 bytes from 192.168.x.x#53(192.168.x.x) in 40 ms
tk. 172800 IN NS a.ns.tk.
tk. 172800 IN NS b.ns.tk.
tk. 172800 IN NS c.ns.tk.
tk. 172800 IN NS d.ns.tk.
tk. 86400 IN NSEC tkmaxx. NS RRSIG NSEC
tk. 86400 IN RRSIG NSEC 8 1 86400 20200214170000 20200201160000 33853 . 4fHYX7xCmHx74gCIwwkHx9NBk5Y88RKJGpJNdCOmcONPR2HwWtGNABs9 juzPqDMxPVKuJo8BQey2d7b1qYtQCPyI7AUQdo0X4bZA2gtA6QFSCpJ7 +JvObIdFXimwVv/5UflRKHmrGXYN5jJGcHdqre6333NOZhPdW/sIkL99 3sfrihV07XWiDchQRPngN3cH8dKoYJfxhiwf/WBcUCCwP0oj2br1Kx/c fLINVKq5/g6ONbetSqKFOM++uSCLqtr/u7lAXJXda1Se2ppCAoniKceD +jjvVLE6OL2PIe0z5rplelbAni1OPOBhs6HIyGQ9460a2vGybMNqmafX vfpz/A==
;; Received 637 bytes from 192.203.230.10#53(e.root-servers.net) in 14 ms
bugster.tk. 300 IN NS ns1.digitalocean.com.
bugster.tk. 300 IN NS ns2.digitalocean.com.
;; Received 131 bytes from 194.0.38.1#53(a.ns.tk) in 183 ms
dynamic.bugster.tk. 86400 IN NS rebinder.bugster.tk.
;; Received 118 bytes from 173.245.59.41#53(ns2.digitalocean.com) in 27 ms
;; connection timed out; no servers could be reached
Thanks for all the help. I'll leave it be for a little while, to clear my head and then I'll see to learn more about dns rebinding from the code aspect instead of pure theory and logic of how it works and maybe that'll shad some light to my issues and maybe I'll see how to go around whatever the problem could be. Also, I'm using freenom which has its own nameserver configuration area (nameserver and glue records) and I've tried setting that up according to the instructions but have to wait 24hours for settings to propagate. Who knows, maybe that'll sort this out.
Anyway, thanks again, and hopefully next reply will be me saying how I finally managed to get it working.
Cheers.
I think you are close to getting it working assuming 206.189.179.65 is the address of Singularity.
dig s-206.189.179.65-127.0.0.1-5-fs-e.dynamic.bugster.tk @206.189.179.65
; <<>> DiG 9.10.6 <<>> s-206.189.179.65-127.0.0.1-5-fs-e.dynamic.bugster.tk @206.189.179.65
;; global options: +cmd
;; connection timed out; no servers could be reached
This query should work if dig or any other DNS client can reach your server and if Singularity is listening. More than likely, port 53 is firewalled or you have another daemon listening on this port. You could try to kill it temporarily and see it if works.
You can also experiment with our public instance hosted on http://rebind.it/manager.html but you won't be able to develop your attacks or try some interesting features.