Not replying to DNS queries

[brannondorsey]

I'm running jaqen on VPS of mine like so:

# using fake IPs for GitHub
EXTERNAL_IP=54.173.189.125
INTERNAL_IP=172.30.0.10

# start jaqen
sudo ./jaqen \
    --base-uri mydomainna.me \
    --dns-bind "0.0.0.0:53" \
    --http-bind "$EXTERNAL_IP" \
    --http-pool "$INTERNAL_IP" \
    --http-bind-map "$INTERNAL_IP/$EXTERNAL_IP" -vvv

I've configured mydomainna.me to use a $EXTERNAL_IP as a custom nameserver and have disabled the firewall to allow traffic on port 53. When I run jaqen and request http://mydomainna.me in the browser I get the following output in the console.

INFO[0000] Found 1 eligible addresses meeting criteria: [54.173.189.125\172.30.0.10:80] 
INFO[0000] Leasing 54.173.189.125\172.30.0.10:80       
INFO[0000] Created HTTPServer bound to "54.173.189.125\172.30.0.10:80" as a result of request "00000000-0000-0000-0000-000000000000" on socket "00000000-0000-0000-0000-000000000000" 
INFO[0000] Created new DNSServer bound to "0.0.0.0:53" (tcp) 
INFO[0000] Created new DNSServer bound to "0.0.0.0:53" (udp) 
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0014] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       A      
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   
DEBU[0015] Got DNS Request: ;webcdn.website.    IN       AAAA   

However, it jaqen doesn't actually return DNS responses. A simple nslookup shows:

> mydomainna.me
Server:		127.0.1.1
Address:	127.0.1.1#53

** server can't find mydomainna.me: SERVFAIL

And monitoring DNS queries via tcpdump also shows the DNS server is failing:

$ sudo tcpdump udp port 53
23:11:28.099524 IP brannon.47992 > router.asus.com.domain: 45422+ A? mydomainna.me. (32)
23:11:28.099538 IP brannon.47992 > router.asus.com.domain: 11880+ AAAA? mydomainna.me. (32)
23:11:28.177006 IP router.asus.com.domain > brannon.47992: 45422 ServFail 0/0/0 (32)
23:11:28.281190 IP router.asus.com.domain > brannon.47992: 11880 ServFail 0/0/0 (32)
23:11:28.281539 IP brannon.47992 > router.asus.com.domain: 23679+ A? mydomainna.me. (32)
23:11:28.281583 IP brannon.47992 > router.asus.com.domain: 63510+ AAAA? mydomainna.me. (32)
23:11:28.358193 IP router.asus.com.domain > brannon.47992: 23679 ServFail 0/0/0 (32)
23:11:28.860719 IP router.asus.com.domain > brannon.47992: 63510 ServFail 0/0/0 (32)
23:11:28.861286 IP brannon.47992 > router.asus.com.domain: 29708+ A? mydomainna.me. (32)
23:11:28.861339 IP brannon.47992 > router.asus.com.domain: 42729+ AAAA? mydomainna.me. (32)
23:11:28.939490 IP router.asus.com.domain > brannon.47992: 29708 ServFail 0/0/0 (32)
23:11:28.944913 IP router.asus.com.domain > brannon.47992: 42729 ServFail 0/0/0 (32)
# ...etc

@li-lyoung, any ideas what this might be? I have a hung that I'm using the CLI args wrong but I figured you might have a better idea. Great research and DEFCON 25 talk btw 👍.

[brannondorsey]

Aha, turns out you can't just query mydomainna.me without prepending the UUID subdomain. I had to use the actual RebindDNS object in v1.js. Seems to be working now except the DNS responses are for the $INTERNAL_IP instead of the $EXTERNAL_IP.

;; QUESTION SECTION:
;9b359ec6-6d7d-4587-8348-d9e217fcde79.webcdn.website.   IN       A

;; ANSWER SECTION:
9b359ec6-6d7d-4587-8348-d9e217fcde79.webcdn.website.    4       IN      A       172.30.0.10

This must be a miss use of the --http-bind, --http-pool, and --http-bind-map parameters, but I can't for the life of me come up with a combination that responds with my $EXTERNAL_IP... Especially considering the server logs this on start:

INFO[0059] Releasing lease on 54.173.189.125\172.30.0.10:80

I think I want those values reversed but flipping them in --http-bind-map gives me:

INFO[0000] Found 0 eligible addresses meeting criteria: [] 
INFO[0000] Created new DNSServer bound to "0.0.0.0:53" (tcp) 
panic: invalid argument to Intn

goroutine 1 [running]:
math/rand.(*Rand).Intn(0xc420086150, 0x0, 0xc4200944b0)
        /usr/local/go/src/math/rand/rand.go:166 +0x9c
math/rand.Intn(0x0, 0x892714)
        /usr/local/go/src/math/rand/rand.go:326 +0x37
main.(*Pool).Lease(0xc4200877a0, 0x8d2260, 0xc42006e340, 0xc420063d78, 0x1, 0x1, 0x0)
        /home/ubuntu/go/src/jaqen/pool.go:79 +0x3ac
main.(*RebindManager).Listen(0xc4200721e0, 0x8d2260, 0xc42006e340, 0x7ffec3ea6861, 0xa, 0xc42000e0a0, 0x1, 0x1, 0x1, 0xc4200b0b40, ...)
        /home/ubuntu/go/src/jaqen/manager.go:93 +0x333
main.main()
        /home/ubuntu/go/src/jaqen/cli.go:117 +0x85b

Would someone giving a better explanation of the role those flags play?