安全技术|DNSLOG平台搭建从0到1

dnslog.py

运行在python2下，无需安装依赖包。

#!/usr/bin/env python

# -*- coding: utf-8 -*-

import SocketServer

import struct

import socket as socketlib

# DNS Query

class SinDNSQuery:

??? def __init__(self, data):

??????? i = 1

??????? self.name = ''

??????? while True:

??????????? d = ord(data[i])

??????????? if d == 0:

??????????????? break;

??????????? if d < 32:

??????????????? self.name = self.name + '.'

??????????? else:

??????????????? self.name = self.name + chr(d)

??????????? i = i + 1

??????? self.querybytes = data[0:i + 1]

??????? (self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5])

??????? self.len = i + 5

??? def getbytes(self):

??????? return self.querybytes + struct.pack('>HH', self.type, self.classify)

# DNS Answer RRS

class SinDNSAnswer:

??? def __init__(self, ip):

??????? self.name = 49164

??????? self.type = 1

??????? self.classify = 1

??????? self.timetolive = 190

??????? self.datalength = 4

??????? self.ip = ip

??? def getbytes(self):

??????? res = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength)

??????? s = self.ip.split('.')

??????? res = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3]))

??????? return res

# DNS frame

class SinDNSFrame:

??? def __init__(self, data):

??????? (self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12])

??????? self.query = SinDNSQuery(data[12:])

??? def getname(self):

????? ??return self.query.name

??? def setip(self, ip):

??????? self.answer = SinDNSAnswer(ip)

??????? self.answers = 1

??????? self.flags = 33152

??? def getbytes(self):

??????? res = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition)

??????? res = res + self.query.getbytes()

??????? if self.answers != 0:

??????????? res = res + self.answer.getbytes()

??????? return res

# A UDPHandler to handle DNS query

class SinDNSUDPHandler(SocketServer.BaseRequestHandler):

? ??def handle(self):

??????? data = self.request[0].strip()

??????? dns = SinDNSFrame(data)

??????? socket = self.request[1]

??????? namemap = SinDNSServer.namemap

??????? if(dns.query.type==1):

??????????? # If this is query a A record, then response it?? ??????

??????????? name = dns.getname();

??????????? toip = namemap['*']

??????????? dns.setip(toip)

??????????? print '%s: %s-->%s'%(self.client_address[0], name, toip)

??????????? socket.sendto(dns.getbytes(), self.client_address)

??????? else:

???????? ???# If this is not query a A record, ignore it

??????????? socket.sendto(data, self.client_address)

# DNS Server

class SinDNSServer:

??? def __init__(self, port=53):

??????? SinDNSServer.namemap = {}

??????? self.port = port

??? def addname(self, name, ip):

??????? SinDNSServer.namemap[name] = ip

??? def start(self):

??????? HOST, PORT = "0.0.0.0", self.port

??????? server = SocketServer.UDPServer((HOST, PORT), SinDNSUDPHandler)

??????? server.serve_forever()

if __name__ == "__main__":

??? sev = SinDNSServer()

??? sev.addname('*', '127.0.0.1') # default address

???sev.start() # start DNS server

在vps上直接运行dnslog.py，一个简易的DNSLOG平台就搭起来了。

运行效果如下图：

回显的ip地址可通过sev.addname('*', '127.0.0.1')自定义。