The tool for DNS fingerprinting is fpdns, which is Perl based. In recent times development seems to have picked up, but a little competition never hurt anyone, so I wrote fp in Go. Fp is also a fingerprint program for DNS servers. Its aim is to be more readable then fpdns is (was?). And make it more easy to add new server types.

Help needed!

Do you have some old(er) nameserver laying around that can be queried? Does your (sick) mind know of a few extra evil queries that can be sent to nameservers? If so, please contact me: query@evilquery.nl. I want to get to a point where fp sends about 10 queries that can be used to identify a server.

Fingerprint

A fingerprint in fp looks like this:

.,CH,TXT,QUERY,NOERROR,qr,aa,tc,RD,ra,ad,cd,z,1,0,0,0,DO,4097,NSID

It has 20 fields, which are:

1. Domain name, . in this example;
2. Class, CH here;
3. Type, TXT here;
4. Opcode, QUERY;
5. Rcode, NOERROR;
6. Query response, qr, lowercase means false (not set), uppercase means true;
7. Authoritative, aa, lowercase. Thus not set here;
8. Truncated, tc, not set;
9. Recursion Desired, RD, uppercase, thus set;
10. Recursion Available, ra;
11. Authenticated Data, ad;
12. Checking Disabled, cd;
13. Zero, z;
14. Question section length, 1 here;
15. Answer section length, 0;
16. Authoritative section length, 0;
17. Additional section length, 0;
18. DNSSEC OK, DO (uppercase, thus set);
19. UDP bufsize, set to 4097;
20. NSID, uppercase: request NSID (or NSID was set).

These fingerprints are also used in creating the DNS queries that are send to nameserver(s) being tested.

A full nameserver fingerprint consists out of multiple of these fingerprints. Right now fp fires off 3 queries to test a server, so each nameserver fingerprint must also consist out of 3 fingerprints. The nameserver fingerprint of BIND9 looks like:

# BIND9 fingerprints
.,CH,TXT,QUERY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,NSID
auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,AA,tc,rd,ra,ad,cd,z,1,15,1,0,do,0,nsid
bind.,NONE,SOA,NOTIFY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,0,do,0,nsid

When fp is extended with an extra fingerprint, this BIND9 fingerprint also needs to get an extra fingerprint.

Trying it yourself

As said, Currently fp only uses three queries, but this is expected to be increased in the near future. In the data directory, the file q holds the fingerprints of the queries to ask. Currently it looks like this:

# These are the queries that we ask the nameserver being identified
#
# The order is important, as the data files of the known nameservers are compared
# in this order.
.,CH,TXT,QUERY,NOERROR,qr,aa,tc,RD,ra,ad,cd,z,1,0,0,0,DO,4097,NSID
auThoRs.bInD.,CH,TXT,QUERY,NOERROR,qr,aa,tc,rd,ra,ad,cd,z,1,0,0,0,do,0,nsid
bind.,NONE,SOA,NOTIFY,NOERROR,qr,AA,tc,RD,ra,ad,cd,Z,1,0,0,0,do,0,nsid

A local run looks like this (this is abbreviated):

% ./fp @localhost
Server type     Diffs       Fingerprint         Recevied
Bind9   0 .,CH,TXT,QUERY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,NSID .,CH,TXT,QUERY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,NSID
Bind9   0 auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,AA,tc,rd,ra,ad,cd,z,1,15,1,0,do,0,nsid auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,AA,tc,rd,ra,ad,cd,z,1,15,1,0,do,0,nsid
Bind9   0 bind.,NONE,SOA,NOTIFY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,0,do,0,nsid bind.,NONE,SOA,NOTIFY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,0,do,0,nsid
        =
Differences:    0

Nsd3    2 .,CH,TXT,QUERY,NOERROR,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,nsid .,CH,TXT,QUERY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,NSID
Nsd3    3 auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,aa,tc,rd,ra,ad,cd,z,1,0,0,0,do,0,nsid auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,AA,tc,rd,ra,ad,cd,z,1,15,1,0,do,0,nsid
Nsd3    6 .,CLASS0,TYPE0,NOTIFY,NXDOMAIN,QR,AA,tc,RD,ra,ad,cd,z,0,0,0,0,do,0,nsid bind.,NONE,SOA,NOTIFY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,0,do,0,nsid
            =
Differences:    11

What do you see here? On the left the nameserver type we're testing, then a number. This number represent the number of differences with the stored fingerprint for this server. When this number is zero, it means the reply from the unknown server is an exact match with one of the stored fingerprints. In general, the lower the number, the more exact the hit was. For bind9 in the example above, the accumulated number of differences is zero. This indicates the server is probably a BIND9 server.

For nsd3 the story is completely different. The accumulated number of differences is 11, so this server probably isn't a NSD3 server.

Report

With, -report fp will just show the fingerprint of a nameserver. If the server is positively identified, the finger print can be added to fp:

% ./fp -report @localhost
# Fingerprint of <Nameserver> <version>
# Supplied by <Name> on <Date>
#
.,CH,TXT,QUERY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,1,DO,4096,NSID
auThoRs.bInD.,CH,TXT,QUERY,NOERROR,QR,AA,tc,rd,ra,ad,cd,z,1,15,1,0,do,0,nsid
bind.,NONE,SOA,NOTIFY,REFUSED,QR,aa,tc,RD,ra,ad,cd,z,1,0,0,0,do,0,nsid

1. Get Go: hg clone -u release https://go.googlecode.com/hg/ go Note the directory you have downloaded it to and set $GOROOT to it: export GOROOT=$PWD/go. Add the GOROOT bin directory to your path: PATH=$PATH:$GOROOT/bin

2. Update Go to the latest weekly: cd $GOROOT; hg pull; hg update weekly

3. Compile Go: cd $GOROOT/src ; ./all.bash

   Install missing commands (gcc, sed, bison, etc.) if needed.

The latest Go is now installed.

Install GoDNS

1. Get GoDNS: cd ~; git clone git://github.com/miekg/godns.git
2. Compile it: cd godns; make ; make install
3. Compile the examples; cd examples; make ; make install
4. Query with q: q mx miek.nl
5. Report bugs

The E-reader variant is suffixed with -kindle:

• Learning Go for E-readers
• Learning Go A4 paper

For good measure I also want to use Omni-completion when writing Go code:

Btw, this screenshots also shows the solarized (dark) colorscheme.

Coloring

Google for solarized. In my .vimrc:

let g:solarized_termcolors=256
colorscheme solarized

Make from VIM

Use :make inside the editor and jump through the errors with:

:cn         // next compile error
:cp         // previous compile error

There are more options, but I want to be able to remember them...

Folding

Settings in .vimrc:

" folding settings
set foldmethod=indent
set foldnestmax=10
set nofoldenable
set foldlevel=0

And the commands that I will probably use most often:

zM          // close all folds
zR          // open all folds

za          // toggle fold under cursor
zA          // toggle fold under cursor recursively

Other important ones:

zo          // open fold under cursor
zO          // open all under cursor recursively

zc          // close fold under cursor
zC          // close all under cursor recursively

Spell checking

Setting in .vimrc:

" toggle spelling control-E -> en, control-N -> dutch (nederlands)                   
map     <C-E>    :setlocal spell! spelllang=en<CR>
imap    <C-E>    <ESC>:setlocal spell! spelllang=en<CR>i
map     <C-N>    :setlocal spell! spelllang=nl<CR>
imap    <C-N>    <ESC>:setlocal spell! spelllang=nl<CR>i

Commands to use (this is the only one I use)

z=          // Show corrections for a word

Toggle switches

Switches for paste-mode, cursorline, numbering disable search highlighting.

set pastetoggle=<F7>

" search hilight
map     <F8>   :nohlsearch<CR>
imap    <F8>   <ESC>:nohlsearch<CR>a
vmap    <F8>   <ESC>:nohlsearch<CR>gv

" numbering
map     <F10>   :set nu!<CR>
imap    <F10>   <ESC>:set nu!<CR>i
vmap    <F10>   <ESC>:set nu!<CR>gv

" toggle cursorline
map     <F9>   :set cursorline!<CR>
imap    <F9>   <ESC>:set cursorline!<CR>

Omni completion (Go specific)

See https://github.com/nsf/gocode. After you've installed that, you can use control-X control-O to bring up the omni completion window. With the VIM files in go/misc/vim you also have the following commands:

    :Fmt                // Gofmt your code
    :Import strings     // add package 'strings' to the import list
    :Drop strings       // drop package 'strings' from the import list

Enter: proxy chaining.

I already showed FunkenSign (example code is quite old though) and yesterday FunkenShield.

What if you combine the two? That gives the best of both worlds:

• Online signing;
• Caching;
• And it adheres to the true Unix philosophy: do one thing, and do one thing well.

So lets get some figures again.

Nameserver

First start the nameserver:

cd _examples/ns && make
GOMAXPROCS=10 ./ns      # listens on port 8053

Online signing proxy

Next we start our online signing proxy. This proxy only signs answers to questions for c.miek.nl., and leaves other questions alone.

We listen on port 8054 and use the nameserver we started on port 8053:

cd examples/funkensturm && make -f Makefile_sign
# save the exe
cp funkensturm funkensturm_sign
# start it
GOMAXPROCS=10 ./funkensturm_sign -rserver=127.0.0.1:8053 -sserver=127.0.0.1:8054

Reverse proxy

And lastly the reverse proxy. It listens on port 8055 and forwards queries to 8054.

make -f Makefile_rproxy
cp funkensturm funkensturm_rproxy
GOMAXPROCS=10 ./funkensturm_rproxy -rserver=127.0.0.1:8054 -sserver=127.0.0.1:8055

Numbers

So we have:

caching proxy -> signing proxy -> nameserver

And for queryperf we create a data file with three queries:

1. a.miek.nl A
2. a.miek.nl AAAA
3. c.miek.nl A

Where the answer to 3 will include a generated signature.

So lets query the nameserver on port 8053:

./queryperf -d data -s 127.0.0.1 -p 8053 -l 2 
Queries per second:   7298.194728 qps

7000+ qps; a normal number. Next directly query the online signing proxy on port 8054:

./queryperf -d data -s 127.0.0.1 -p 8054 -l 2
Queries per second:   205.991306 qps

205 qps... that's onine signing for you: S L O W.

Next we use the caching proxy which caches the answers, we query on port 8055:

./queryperf -d data -s 127.0.0.1 -p 8055 -l 2
Queries per second:   28521.826761 qps

Thats again more like it.

So we have fast online signing in a clean way.

Note: (excluding godns) the combined line count is 197 lines for ns and 450 for funkensturm.

This is done with the framework of FunkenSturm. Which is part of GoDNS.

How it works:

You place FunkenShield in front of your nameserver and it will cache the binary packets coming from your server in a local cache.

It is written in Go, and the beauty of it is that Go compiles to static executables, so I can give you (or you can compile it yourself) the exe and you can experiment with it yourself.

Some numbers

GoDNS is a library that helps you create DNS software. In this library some example programs are included, among other, a simple nameserver. Currently this nameserver works with 1 zone, namely "miek.nl". If you run it, it defaults to listening on port 8053:

% ./ns      # start the nameserver

<other terminal>

% dig @127.0.0.1 -p 8053 mx miek.nl
<snip>
;; QUESTION SECTION:
;miek.nl.                       IN      MX

;; ANSWER SECTION:
miek.nl.                345600  IN      MX      20 mail.atoom.net.
miek.nl.                345600  IN      MX      40 mx-ext.tjeb.nl.

;; AUTHORITY SECTION:
<snip>

;; ADDITIONAL SECTION:
miek.nl.                0       IN      TXT     "Proudly served by Go: http://www.golang.org"

So that works. But how fast is it? This queryperf asks two questions: "A a.miek.nl" and "AAAA a.miek.nl":

% ./queryperf -d data -s 127.0.0.1 -p 8053 -l 10
<snip>
Queries per second:   3079.260741 qps

Hmmm, only about 3000. Lets spice things up a bit and utilize Go's multicore features:

% GOMAXPROCS=20 ./ns 
% ./queryperf -d data -s 127.0.0.1 -p 8053 -l 10
Queries per second:   7124.942077 qps

More than doubled. Nice, but still nothing to make NSD afraid.

Enter FunkenShield

We run FunkenShield on port 8054, and allow it to have a multitude of goroutines. Note: "./ns" is still running. If FunkenShield has a cache miss it still needs to ask the nameserver.

% cd _examples/funkensturm && make -f Makefile_rproxy
% GOMAXPROCS=20 ./funkensturm -rserver 127.0.0.1:8053 -sserver 127.0.0.1:8054
% ./queryperf -d data -s 127.0.0.1 -p 8054 -l 10        # port = 8054!
Queries per second:   27506.219188 qps

W00t!

27506 qps.

27000+ qps is not bad for a nameserver.

To summarise a long presentation I gave to non-programmers:

• There are 12 million programmers in the world
• The majority of those programmers are scarcely qualified
• Most technology decisions are made by a combination of following the crowd and a false understanding of risk.
• The high cost and failure rate in software development is no coincidence.

Remember the Stevie Wonder rule - "When you believe in something you don't understand then you suffer". In this case that means "Perhaps making programming language decisions based on what 12 million powerless idiots are doing isn't the golden road to glory and great hacks."

Go is a genuine attempt to improve the state of systems programing language beyond the point they reached in the early 1970s. As a result the sort of people using it are mostly that small community of people who understand and care about the concerns that drive such a development.

You're not going to catch those 12 million people unless you can market heavily enough the idea that their future income depend on jobs/contacts built around go, but that goal just draws resources and energy away from making the language better.

Arguably Java also suffers from it's large community of corporate drones. The slavish tendency to build baroque, mausoleums of intricate classes, dense with state and dripping with verbose XML is a reflection of the unthinking insanity of the 12 million.

I'd rather a tiny community use the language well, built successful applications and organically grew the user base whilst establishing a clean, sane library base that might later be used to improve the lives of a wider population of programmers.

I've said more than enough, I'll trundle back to the twelve million and take my punishment now.

So this I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly, to show the new API and some sample usage.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will explain the main-function:

func main() {
        conf, err := dns.ClientConfigFromFile("/etc/resolv.conf")
        if len(os.Args) != 2 || err != nil {
                fmt.Printf("%s DOMAIN\n", os.Args[0])
                os.Exit(1)
        }

Read the resolver config from /etc/resolv.conf and check if enough parameters have been given.

    m := new(dns.Msg)
    m.SetQuestion(os.Args[1], dns.TypeDNSKEY)

Prepare a new dns message to send to the other side. I'm interested in the DNSKEYs for the name given on the command line.

    // Set EDNS0's Do bit
    e := new(dns.RR_OPT)
    e.Hdr.Name = "."
    e.Hdr.Rrtype = dns.TypeOPT
    e.SetUDPSize(2048)
    e.SetDo()
    m.Extra = append(m.Extra, e)

This is DNSSEC so I must prepare an EDNS0 section, which is nothing more than adding an OPT RR to the additional section. I'm pondering making EDNS0 easier and provide a few helper functions (ideas welcome!). For now the whole OPT RR must be defined from scratch.

    c := dns.NewClient()
    r := c.Exchange(m, conf.Servers[0])
    if r == nil {
            fmt.Printf("*** no answer received for %s\n", os.Args[1])
            os.Exit(1)
    }

Create a new client and use Exchange() to perform send the query and wait for the reply. Note that we only use the first server defined in /etc/resolv.conf. (There is room for some improvements :-) )

    if r.Rcode != dns.RcodeSuccess {
            fmt.Printf(" *** invalid answer name %s after DNSKEY query for %s\n", os.Args[1], os.Args[1])
            os.Exit(1)
    }

If anything is wrong with the answer I bail out here.

    for _, k := range r.Answer {
            if key, ok := k.(*dns.RR_DNSKEY); ok {

Loop through the answer section and check each RR to see if it is a DNSKEY record with a type check.

                    ds := key.ToDS(dns.HashSHA1)
                    ds.Hdr.Ttl = 0
                    fmt.Printf("%v\n", ds)

For each DNSKEY convert it to a SHA1 DS records with ToDS()

                        ds = key.ToDS(dns.HashSHA256)
                        ds.Hdr.Ttl = 0
                        fmt.Printf("%v\n", ds)
                }
        }
}

And do the same for SHA256 and print that too.

I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will detail the main-function:

func main() {
        conf, err := dns.ClientConfigFromFile("/etc/resolv.conf")
        if len(os.Args) != 2 || err != nil {
                fmt.Printf("%s DOMAIN\n", os.Args[0])
                os.Exit(1)
        }

Read the resolver config from /etc/resolv.conf and check if enough parameters have been given.

    m := new(dns.Msg)
    m.SetQuestion(os.Args[1], dns.TypeDNSKEY)

Prepare a new dns message to send to the other side. I'm interested in the DNSKEYs for name given on the command line.

    // Set EDNS0's Do bit
    e := new(dns.RR_OPT)
    e.Hdr.Name = "."
    e.Hdr.Rrtype = dns.TypeOPT
    e.SetUDPSize(2048)
    e.SetDo()
    m.Extra = append(m.Extra, e)

This is DNSSEC so I must prepare an EDNS0 section, which is nothing more than adding an OPT RR to the Additional section. I'm pondering making EDNS0 easier and provide a few helper functions. For now the whole OPT RR must be defined from scratch.

    c := dns.NewClient()
    r := c.Exchange(m, conf.Servers[0])
    if r == nil {
            fmt.Printf("*** no answer received for %s\n", os.Args[1])
            os.Exit(1)
    }

Create a new client and use Exchange() to perform send the query and wait for the reply. Note that we only use the first server defined in /etc/resolv.conf. (There is room for some improvements :) )

    if r.Rcode != dns.RcodeSuccess {
            fmt.Printf(" *** invalid answer name %s after DNSKEY query for %s\n", os.Args[1], os.Args[1])
            os.Exit(1)
    }

If anything is wrong with the answer I bail out here.

    for _, k := range r.Answer {
            if key, ok := k.(*dns.RR_DNSKEY); ok {

Loop through the answer section and check each RR to see if it is a DNSKEY record with a type check.

                    ds := key.ToDS(dns.HashSHA1)
                    ds.Hdr.Ttl = 0
                    fmt.Printf("%v\n", ds)

For each DNSKEY convert it to a SHA1 DS records with ToDS()

                        ds = key.ToDS(dns.HashSHA256)
                        ds.Hdr.Ttl = 0
                        fmt.Printf("%v\n", ds)
                }
        }
}

And do the same for SHA256 and print that too.