From 77aec5958fc2cd5a58e3d89d1a7d841ce1138d47 Mon Sep 17 00:00:00 2001 From: Babak Farrokhi Date: Mon, 14 Nov 2016 15:40:07 +0330 Subject: [PATCH] Improve expert hints (fix #30) Now we assume a radius for local network (persumably 4 hops). Now if a DNS server appears next to a private or reserved IP address, and it happens within 4 hops, then it is your local network and this is not necessarily a bad thing. But if it happens beyond 4 hops, we assume it is public network, and you are not supposed to see a probe response from a private IP address on internet (fishy). --- dnstraceroute.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dnstraceroute.py b/dnstraceroute.py index 9e105ef..3a540cf 100755 --- a/dnstraceroute.py +++ b/dnstraceroute.py @@ -38,6 +38,7 @@ import time import dns.query import dns.rdatatype import dns.resolver + from cymruwhois import cymruwhois __author__ = 'Babak Farrokhi (babak@farrokhi.net)' @@ -147,6 +148,7 @@ def expert_report(trace_path, color_mode): print(" [*] empty trace - should not happen") return + private_network_radius = 4 # number of hops we assume we are still inside our local network prev_hop = None if len(trace_path) > 1: prev_hop = trace_path[-2] @@ -156,15 +158,15 @@ def expert_report(trace_path, color_mode): " %s[*]%s path too short (possible DNS hijacking, unless it is a local DNS resolver)" % (color.R, color.N)) return - if prev_hop == '*': + if prev_hop == '*' and len(trace_path) > private_network_radius: print(" %s[*]%s public DNS server is next to an invisible hop (probably a firewall)" % (color.R, color.N)) return - if prev_hop and ipaddress.ip_address(prev_hop).is_private: + if prev_hop and len(trace_path) > private_network_radius and ipaddress.ip_address(prev_hop).is_private: print(" %s[*]%s public DNS server is next to a private IP address (possible hijacking)" % (color.R, color.N)) return - if prev_hop and ipaddress.ip_address(prev_hop).is_reserved: + if prev_hop and len(trace_path) > private_network_radius and ipaddress.ip_address(prev_hop).is_reserved: print(" %s[*]%s public DNS server is next to a reserved IP address (possible hijacking)" % (color.R, color.N)) return @@ -172,7 +174,7 @@ def expert_report(trace_path, color_mode): print(" %s[*]%s No expert hint available for this trace" % (color.G, color.N)) -def ping(resolver, hostname, dnsrecord, ttl, use_edns= False): +def ping(resolver, hostname, dnsrecord, ttl, use_edns=False): global _ttl reached = False @@ -182,7 +184,6 @@ def ping(resolver, hostname, dnsrecord, ttl, use_edns= False): if use_edns: resolver.use_edns(edns=0, payload=8192, ednsflags=dns.flags.edns_from_text('DO')) - try: resolver.query(hostname, dnsrecord, raise_on_no_answer=False)