Configuring fake DNS responders - sandeeprenjith/dnsblast GitHub Wiki

A fake DNS responder is a simple concept; a DNS server which responds with valid RDATA irrespective of the query thrown at it. This is very helpful in recursive DNS testing as a fake DNS responder can be configured as a forwarder to a recursive DNS server and you get valid answers for random queries thrown at the server.

Here we discuss two ways of configuring a fake DNS responder.

BIND

With BIND, you can configure a pretty high performance fake responder. The performance would depend on the capabilities of the host running BIND.

Here the concept is, configure root(.) as an authoritative zone. Add wildcard entries in the zone file for the root zone for the record type you need.

Note: Special types like CNAME which has a uniqueness constraint cannot be added as a wildcard entry.

The configuration file entry for the root zone would look as below.

zone "." {
        type master;
        file "/etc/bind/root.db";
};

The zone file would look as below.

$TTL 86400;
$ORIGIN .
@       1D      IN      SOA ns1.        sandeep.renjith.gmail.com.      (
                1;
                3H;
                15;
                1w;
                3h;
                )

        IN NS ns1.      ;
ns1.    IN A 192.168.130.9;
*       IN A 172.21.21.21;

With this configuration, irrespective of the query, you get a valid response. See below.

tester@ubu-18:~$ dig @192.168.130.9 google.com +short
172.21.21.21
tester@ubu-18:~$ dig @192.168.130.9 facebook.com +short
172.21.21.21
tester@ubu-18:~$ dig @192.168.130.9 yahoo.com.com +short
172.21.21.21

CoreDNS

CoreDNS is a relatively new DNS server and is currently the default DNS server for Kubernetes. CoreDNS functionality is expanded using plugins, which makes it very versatile. In my experience, it does not seem to perform as well as BIND but the functionality is greater. CoreDNS can be configured as a fake DNS responder using a plugin named Erratic.

Below are links to CoreDNS and the Erratic plugin.

• https://coredns.io/
• https://coredns.io/plugins/erratic/

Below is the configuration file I use to configure CoreDNS as a fake DNS responder. I have added DNS over TLS and caching along with IPv6 in the file.

 . {
        bind 192.168.130.9 dead:face::2
        cache  {
                success 0 3600 3600
        }
        erratic {
                delay 1 23ms
                drop 0
                }
                log
}
 tls://.:853 {
        bind 192.168.130.9 dead:face::2
                debug
                tls coredns.pem coredns.key ca.pem
        cache  {
                success 0 3600 3600
        }

        erratic {
                delay 1 23ms
                drop 0
                }
                log
}

Using BIND and RPZ

This is an article I found where RPZs are used by BIND to achieve a similar objective.

https://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/