Open source DNS Resolver written in Golang: NSnitch - Find out which name servers are snitching on you.

polaris · · 46 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>Here&#39;s the browser test web app showing the APIs in action: <a href="https://tenta.com/test">https://tenta.com/test</a></p> <p>Backend source code in Golang: <a href="https://github.com/tenta-browser/nsnitch">https://github.com/tenta-browser/nsnitch</a></p> <hr/>**评论:**<br/><br/>gohacker: <pre><blockquote> <p>which name servers are snitching on you</p> </blockquote> <p>That would benefit from some explanation.</p></pre>nevyn: <pre><p>It gives you a random DNS name and then tells which IPs requested a name =&gt; ip lookup. It should be just the nameserver you are requesting from, but if someone is spying on you they&#39;ll also need to do the lookup.</p></pre>tentabrowser: <pre><p>Thanks for asking. The readme on github has the best details on how it works and the APIs descriptions, but if you have any specific questions about it, I&#39;m happy to answer. At a high level, it&#39;s a modern version of a IP/DNS leak test with additional data returned that are typically missing from the older DNS leak test sites. For example, we are working on DNS over TLS and when we google&#39;d to see if there is a quick way to check if it&#39;s working, we didn&#39;t find anything. It&#39;s a relatively new protocol, so it makes sense that there isn&#39;t much out there yet, but it will start gaining ground since it actually keeps your DNS requests encrypted/private. The API also shows if DNSSEC is enabled or &#34;Checking Disabled&#34; is on or off. Our goal was to give a more complete picture of your DNS privacy/security settings.</p></pre>__crackers__: <pre><p>What do I do with the random DNS name?</p> <p>Grab it, perform a DNS lookup and then wait and see if anyone else also looks it up?</p></pre>tentabrowser: <pre><p>Actually, we&#39;re less concerned with multiple lookups for the same random name, and more concerned with the details of who&#39;s doing the look ups. Several big, public, recursive resolvers may look it up twice, as part of their caching strategy (we believe).</p> <p>On the other hand, if someone is MITMing you then you&#39;ll see the lookup from their MITM. Also, if your VPN isn&#39;t pushing DNS lookups, or your VPN config lets them leak, you&#39;ll see that obviously</p></pre>__crackers__: <pre><p>Thanks for the reply.</p> <p>I&#39;m afraid I still don&#39;t really follow how I&#39;m supposed to use this service.</p> <p>Could you explain it from more basic principles?</p> <p>I know what DNS is and how it works. I don&#39;t understand how I&#39;m supposed to use this service to tell if someone is spying on me/my DNS is ratting me out.</p> <p>What is the purpose of a random DNS name, and what am I supposed to do with it?</p> <p>Step by step, how would I go about determining whether something iffy is going on?</p> <p>The README and the explanations so far assume too much existing knowledge of what they&#39;re supposed to do.</p> <p>I mean, <em>how</em> will I see that someone it MitMing me? Or that my VPN config is leaking DNS?</p></pre>bonekeeper: <pre><p>That&#39;s pretty useful!</p></pre>__crackers__: <pre><p>Why the downvotes?</p> <p>Am I somehow stupid for not understanding how this is all supposed to work from the vague description given?</p></pre>tentabrowser: <pre><p>Suppose that your computer has an IP address like 192.0.2.101 and your (super tiny) ISP has a public router which does DNS lookup at 192.0.2.1. Normally, when you visit a very popular website, like google.com, your computer make a direct request to your DNS server at 192.0.2.1, and since google.com is a very popular website, it&#39;s already cached so the DNS server directly returns the results to you.</p> <p>However, when you look up a domain name that&#39;s never been looked up before, like bonanza-bananas-bazooka.example.com, the DNS resolver first determines which DNS server is the authoritative name server (the &#34;source of truth&#34;) for example.com (glossing over a bit of the complexity of determining NS servers here). It finds out that ns1.example.com is the main DNS server. It must then make a direct connection to ns1.example.com and ask &#34;Hey, tell me about bonanza-bananas-bazooka.example.com&#34;. The reason it has to make a direct connection is that since no one has ever looked up that name before, no other server can possibly answer.</p> <p>But, by virtue of the fact that it talked to our special name server software, and sent us a message, we can extract lots of details about it.</p> <p>Including, most basically, that it&#39;s IP address is 192.0.2.1. From that, we can extract the AS number (the &#34;responsible ISP&#34;) for the IP address</p> <p>So, in a simplistic case, if your DNS server is set to 192.0.2.1, then that&#39;s who should contact our nameserver.</p> <p>Reality, is of course a bit more complicated. When your tiny ISP gets a bit bigger, they setup a local name server in your neighborhood, at 192.0.2.100, which is what you connect to. For best performance and aggregation, 192.0.2.100 one connects upwards to 192.0.2.1 when it needs to lookup something that&#39;s never been looked up before. In this case, even though your direct name server is 192.0.2.100, you&#39;ll see that 192.0.2.1 also knows what websites you visit. Which is probably okay, since it still belongs to your ISP.</p> <p>On the other hand, if you notice that 203.0.113.1 is looking up bonanza-bananas-bazooka.example.com, then that&#39;s very suspicious. No one but you and your DNS resolver should ever even consider that such a domain name might exist, much less look it up.</p> <p>Furthermore, suppose that you&#39;ve connected to a VPN and have a VPN address of 198.51.100.55. If you perform the random subdomain DNS lookup and see that 192.0.2.1 is doing the lookup, that means your VPN is mis-configured to send DNS outside the tunnel.</p> <p>This is a very common mis-configuration which results in all the sites you visit getting leaked.</p> <p>We can also tell you a lot about what other information the DNS resolver provides when it does the lookup. For example, did you know some providers provide part or all of your original IP address to the name server when they perform the lookup? Or if your resolvers are trying to check whether the DNS records are valid or not?</p> <p>Lastly, we can tell which server(s) actively participated in lookup for your requests. We cannot tell if a third party is passively inspecting your packets, but we can tell if your resolver uses TLS, meaning (with high confidence) that someone is not passively listening to your DNS requests.</p> <p>Hope that makes sense of how you might use this to analyze what your DNS resolver is actually doing.</p></pre>
46 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传