Clik here to view.
Simple and Powerful DNS Testing with Scapy
An effective tool to test DNS (Domain Name System)
When testing DNS Defender®, CloudShield’s specialized DNS firewall, an application traffic generator is my tool of choice due to its performance and automation capabilities. This tool is able to generate custom Layer-7 traffic by simulating real client-server communications and behavior at multiple 10Gbps speed.
Although the use of this tool is crucial for development and quality assurance testing, its cost and form-factor usually prevents everyday use for demos and presentations. In these situations, software-based tools become handy.
The Dig tool is great, but has limitations
One of the most common software tools for DNS testing is the Dig tool, which is part of ISC BIND and is built-in on most Linux distributions. This tool is very simple to use and has several options to change DNS parameters, like setting DNS flags. It can also operate in batch mode by reading a file with multiple domain names to query. Another option is to combine the Dig tool with shell scripts. Simple shell scripts can be used to call the Dig tool and provide test automation, response manipulation, and filtering.
Despite its benefits, the Dig tool has some important limitations. For example, it does not allow changing the source IP address of the packet for an arbitrary one, preventing use of a range of IP addresses to simulate a pool of clients. The only option is to use an IP address assigned to a system’s interface. But the biggest limitation is its restriction on generating only valid and well-formed DNS packets, since non-valid or anomalous DNS packets are usually required to create and reproduce complex attacks.
There is where Scapy shines.
Scapy is simple and powerful
Scapy brings the ability to create, generate, and manipulate whole packet content in a very simple way.
To give you an idea of how easy it is to generate a DNS packet on Scapy, here is the syntax to create a DNS query type A to a server on the IP address 10.0.0.1, asking for the domain name “www.cloudshield.com“:
>>> pkt=IP(dst="10.0.0.1")/UDP(sport=60000)/DNS(id=1,qd=DNSQR(qname="www.cloudshield.com"))
Scapy can fill the remaining parameters with the appropriate values for the specific type of packet and calculate the checksum automatically.
The “show2()” command below presents a summary of the final packet:
>>> pkt.show2()
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 65
id = 1
flags =
frag = 0L
ttl = 64
proto = udp
chksum = 0x665b
src = 10.0.0.80
dst = 10.0.0.1
\options \
###[ UDP ]###
sport = 60000
dport = domain
len = 45
chksum = 0xda83
###[ DNS ]###
id = 1
qr = 0L
opcode = QUERY
aa = 0L
tc = 0L
rd = 0L
ra = 0L
z = 0L
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = 'www.cloudshield.com.'
| qtype = A
| qclass = IN
an = None
ns = None
ar = None
After creating the packet, Scapy gives you several ways to use it. You can generate a single packet or many on an endless loop, select the output interface, randomize fields, capture and match responses, and choose among many other options.
Want to learn more about Scapy and Python®?
A quick way to learn Scapy is through the interactive tutorial that you can find here. This tutorial walks you through the Scapy features and provides several examples on how to use them.
Scapy runs on Python, but you don’t need to learn Python in order to use it. However, you can take advantage of Python scripts to enhance and automate your Scapy tools.
If you also want to give Python a try, a great quick start guide is the Google’s Python Class.
In my follow up articles, I’ll provide some examples of tools for DNS testing using Scapy and Python.
Stay tuned!
Python is a registered trademark of Python Software Foundation
DNS Defender and CloudShield are registered trademarks of CloudShield Technologies
Clik here to view.