DNS多出口分析

時間 2019-11-12

原文原文鏈接

DNS多出口分問題現象：當dns解析出的ip非域名的本地覆蓋組，則懷疑是DNS多出口或者DNS劫持。接下來判斷該ip是否爲網宿ip，若是不是，則是劫持問題，走劫持流程進行反饋。若是是網宿ip，則用如下方法進行DNS多出口確認。

方法一：經過抓包的方式判斷多出口
以測試8.8.8.8多出口爲例：
登陸機器：122.136.46.146（多出口DNS IP抓包專用測試機），
執行：
sudo tcpdump -nn dst port 53 and udp |grep testdns
在其餘機器，連續dig 8.8.8.8，須要構造不一樣的前綴名，以避免結果被緩存，因此構造命令以下：緩存

for i in {1..20}; do dig @8.8.8.8 wangsutest${i}.testdns.lxdns.com ; done服務器

[fush@xm35 ~ 14:21:42]$ for i in {1..20}; do dig @8.8.8.8 wangsutest${i}.testdns.lxdns.com ; doneapp

在122.136.46.146就能夠看到源源不斷的dig請求了，上面便有來源IP：
tcp

[watch@yb146 ~]$ sudo tcpdump -nn dst port 53 and udp |grep testdns
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:04:24.757489 IP 74.125.47.137.60718 > 122.136.46.146.53: 41700 [1au] A? wangsutest1.testdns.lxdns.com. (69)
14:04:25.716976 IP 74.125.47.2.49631 > 122.136.46.146.53: 44566 [1au] A? wangsutest1.testdns.lxdns.com. (58)
14:04:26.750757 IP 74.125.181.3.50040 > 122.136.46.146.53: 53990 A? wangsutest1.testdns.lxdns.com. (47)
14:04:28.224020 IP 74.125.47.135.62744 > 122.136.46.146.53: 40516 [1au] A? wangsutest2.testdns.lxdns.com. (69)
14:04:29.255839 IP 74.125.181.2.59749 > 122.136.46.146.53: 40176 [1au] A? wangsutest2.testdns.lxdns.com. (58)
14:04:30.206371 IP 74.125.47.145.39762 > 122.136.46.146.53: 14996 A? wangsutest2.testdns.lxdns.com. (47)
14:04:31.669964 IP 74.125.47.142.46313 > 122.136.46.146.53: 33430 [1au] A? wangsutest3.testdns.lxdns.com. (69)
14:04:32.681943 IP 74.125.181.15.40614 > 122.136.46.146.53: 63315 [1au] A? wangsutest3.testdns.lxdns.com. (58)
14:04:33.638824 IP 74.125.47.138.49140 > 122.136.46.146.53: 46887 A? wangsutest3.testdns.lxdns.com. (47)
14:04:35.447495 IP 74.125.47.3.46831 > 122.136.46.146.53: 63691 [1au] A? wangsutest4.testdns.lxdns.com. (69)
14:04:36.454706 IP 74.125.181.10.51442 > 122.136.46.146.53: 2562 [1au] A? wangsutest4.testdns.lxdns.com. (58)
14:04:38.820076 IP 74.125.47.11.36014 > 122.136.46.146.53: 36575 [1au] A? wangsutest5.testdns.lxdns.com. (69)
14:04:39.876869 IP 74.125.181.2.63350 > 122.136.46.146.53: 2701 [1au] A? wangsutest5.testdns.lxdns.com. (58)
14:04:40.842737 IP 74.125.73.68.47832 > 122.136.46.146.53: 21859 A? wangsutest5.testdns.lxdns.com. (47)
14:04:43.843789 IP 74.125.47.140.34852 > 122.136.46.146.53: 15856 [1au] A? wangsutest5.testdns.lxdns.com. (69)
14:04:44.793616 IP 74.125.47.129.37043 > 122.136.46.146.53: 51990 [1au] A? wangsutest5.testdns.lxdns.com. (58)
14:04:45.817476 IP 74.125.181.9.61970 > 122.136.46.146.53: 58166 A? wangsutest5.testdns.lxdns.com. (47)
14:04:47.239946 IP 74.125.47.142.46096 > 122.136.46.146.53: 50182 [1au] A? wangsutest6.testdns.lxdns.com. (69)
14:04:48.240700 IP 74.125.47.142.64726 > 122.136.46.146.53: 1427 [1au] A? wangsutest6.testdns.lxdns.com. (58)
14:04:49.183595 IP 74.125.181.3.36549 > 122.136.46.146.53: 35110 A? wangsutest6.testdns.lxdns.com. (47)
14:04:50.478652 IP 74.125.73.73.51076 > 122.136.46.146.53: 31433 [1au] A? wangsutest7.testdns.lxdns.com. (69)
14:04:51.519810 IP 74.125.47.15.40705 > 122.136.46.146.53: 45115 [1au] A? wangsutest7.testdns.lxdns.com. (58)
14:04:52.497886 IP 74.125.47.143.35166 > 122.136.46.146.53: 62820 A? wangsutest7.testdns.lxdns.com. (47)
14:04:53.936080 IP 74.125.73.70.47566 > 122.136.46.146.53: 61608 [1au] A? wangsutest8.testdns.lxdns.com. (69)
14:04:54.986093 IP 74.125.47.12.63747 > 122.136.46.146.53: 50695 [1au] A? wangsutest8.testdns.lxdns.com. (58)
14:04:55.967277 IP 74.125.73.75.34890 > 122.136.46.146.53: 29681 A? wangsutest8.testdns.lxdns.com. (47)
14:04:57.312838 IP 74.125.47.143.46604 > 122.136.46.146.53: 58335 [1au] A? wangsutest9.testdns.lxdns.com. (69)
14:04:58.361482 IP 74.125.73.84.62433 > 122.136.46.146.53: 48089 [1au] A? wangsutest9.testdns.lxdns.com. (58)
14:04:59.365100 IP 74.125.47.1.47087 > 122.136.46.146.53: 59125 A? wangsutest9.testdns.lxdns.com. (47)
14:05:00.801741 IP 74.125.47.14.34812 > 122.136.46.146.53: 339 [1au] A? wangsutest10.testdns.lxdns.com. (70)
14:05:01.785453 IP 74.125.47.146.61843 > 122.136.46.146.53: 21701 [1au] A? wangsutest10.testdns.lxdns.com. (5測試

抓包獲取的ip，能夠看到有多個
該方法的原理是：8.8.8.8在解析wangsutest.testdns.lxdns.com這個域名時，會去lxdns的DNS服務器上去請求wangsutest.testdns.lxdns.com對應的A記錄，而lxdns的DNS爲122.136.46.146（便是多出口DNS IP抓包專用測試機），咱們所抓取的包，這是8.8.8.8對122.136.46.146的請求記錄，而請求ip便是DNS出口ip。 spa

二.查詢機器使用的dns出口IP.net

[root@zhjhzh16 ~]# dig whoami.ultradns.net @8.8.8.8code

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> whoami.ultradns.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64327
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0dns

;; QUESTION SECTION:
;whoami.ultradns.net. IN Aip

;; ANSWER SECTION:
whoami.ultradns.net. 0 IN A 74.125.47.11 #74.125.47.11 爲dns服務器8.8.8.8 的其中一個出口IP

;; Query time: 372 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu May 25 14:36:39 2017
;; MSG SIZE rcvd: 53

[root@zhjhzh16 ~]# dig whoami.akamai.net @8.8.8.8

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> whoami.akamai.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whoami.akamai.net. IN A

;; ANSWER SECTION:
whoami.akamai.net. 163 IN A 74.125.47.140 #74.125.47.140 爲dns服務器8.8.8.8 的其中一個出口IP

;; Query time: 344 msec;; SERVER: 8.8.8.8#53(8.8.8.8);; WHEN: Thu May 25 14:38:23 2017;; MSG SIZE rcvd: 51