[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #25874 [Obfuscation/Snowflake]: DNS-based rendezvous for Snowflake
#25874: DNS-based rendezvous for Snowflake
-----------------------------------+------------------------
Reporter: dcf | Owner: (none)
Type: project | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+------------------------
Comment (by dcf):
For testing purposes, I set up snowflake-broker.bamsoftware.com to be the
authoritative nameserver for the subdomain test.bamsoftware.com. (I think;
I'm not too good at this DNS stuff.) There is no responder running there
yet, but you can use tcpdump on the broker to watch requests arrive:
{{{
tcpdump -n -X port 53
}}}
Then, from somewhere else, try a normal DNS query. In the tcpdump you
should see requests arrive from your ISP's recursive nameserver.
{{{
dig message${RANDOM}.test.bamsoftware.com
}}}
Here is sample Python 2 code for doing requests over the 1.1.1.1 DNS-over-
HTTPS server.
{{{
#!/usr/bin/env python
NAME = "whatever.test.bamsoftware.com"
from scapy.all import *
import base64
import requests
# https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
/#using-post
print("POST application/dns-udpwireformat")
udpwireformat = str(DNS(rd=True, qd=DNSQR(qtype="A", qname=NAME)))
r = requests.post("https://1.1.1.1/dns-query",
headers = {
"Accept": "application/dns-udpwireformat",
"Content-Type": "application/dns-udpwireformat",
},
data = udpwireformat,
)
DNS(r.content).show()
# https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
/#using-get
print("POST application/dns-udpwireformat")
udpwireformat = str(DNS(rd=True, qd=DNSQR(qtype="A", qname=NAME)))
r = requests.get("https://1.1.1.1/dns-query",
params = {
"dns": base64.urlsafe_b64encode(udpwireformat),
"ct": "application/dns-udpwireformat",
},
)
DNS(r.content).show()
# https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/
print("GET application/dns-json")
r = requests.get("https://1.1.1.1/dns-query",
params = {
"name": NAME,
"type": "A",
"ct": "application/dns-json",
},
)
print r.text
}}}
If you run this, you will see requests arrive at the broker and responses
come back with `rcode=server-failure`, which is expected because there's
nothing running at snowflake-broker.bamsoftware.com:53 yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25874#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs