Author: Guang mango
Source: evil baboons Information Security Team (www.eviloctal.com)
Note: This article has been published in the non-secure guest manual.
Since the announcement of whois technology, bypass attacks have become a very common attack method for hackers. In addition to configuring directory permissions, we can also block hackers when querying whois.
Let's first analyze the principle of whois query. The DNS domain names we use now all need to be uniformly registered with the United States-based international domain name organization, in order to facilitate management and other reasons, the international domain name organization places the Domain Name Information in the whois query system. In this way, we only need to use whois to find out what the IP address for a domain name resolution is, after obtaining the resolved IP address, we can continue to use the whois query function to find all Domain Name Information resolved to this IP address in the Domain Name Record, in this way, we can use whois to query.
From the whole whois query process, we can see that once whois finds out what the IP address of a domain name is, it seems a little difficult to prevent it from continuing to query other domain names bound to the IP address. Then, let's start by querying the IP address resolved by the whois domain name and stop it from querying. Of course, the blocking here is not about to attack the whois host, and it is not realistic. In fact, the domain name resolution IP address that whois queries is the IP address that we fill in the record of domain name management. Therefore, we only need to fill in an incorrect resolution address in the record of domain name management, so that the address queried by whois is naturally wrong.
Someone may say, "You have entered an incorrect IP address in the record, so whois cannot be found, but the domain name cannot be properly resolved ." Here is the focus of this article. In fact, we only need to do something in the record to make the domain name normal resolution. Next let's take a look at the general DNS resolution process. Generally, after we enter a domain name in this browser, the browser's query order is: local record → Local Domain Name Server → ...... → Next Domain Name Server → resolve the website or error message. Generally, if we set A record as normal, the browser will successfully resolve it to the website. Now we assume that our domain name is resolved to the website from the "next Domain Name Server, when the browser finds the relevant records in the "next Domain Name Server", it will access the website based on the recorded IP address. If the IP address we bind is incorrect, that is to say, the resolved IP address is not bound to this domain name (popular point-Read means that this domain name is not bound to the server's IIS). What will happen to the browser? Here we can imagine what it would do if we couldn't find a book by directory in the library. Of course, we suspect that we have read the wrong directory! Yes, the browser will also suspect that the information retrieved on the original Domain Name Server is incorrect. In this case, it will return the "next Domain Name Server" and re-check, now we can use this to make our website accessible. We only need to add an identical domain name after the wrong domain name is resolved and resolve it to the correct IP address.
Can I bind multiple IP addresses to a domain name? If this is not the case, we will try again. Next we will bind 1.XXX.net. ×. ×. 1. to hide my IP address, I first add A domain name 1.XXX.net TO THE A record for resolution. ×. ×. 2 In the IP address (1. ×. ×. 2. I certainly didn't bind my domain name, so I cannot ask my website if I use 1.XXX.net. Next, let's add another domain name, or 1.XXX.net, but this time it is resolved to the correct X. ×. ×. 1. Why? A domain name is bound with two IP addresses (2). Let's see if the "Dual IP" domain name can be correctly resolved. It seems a little slow to enter 1.XXX.net in the browser, however, after a minute or so, it will be resolved normally, because there will be an additional parsing link, and the slow speed will be taken for granted. However, as long as the resolution is successful for the first time, the resolution speed will be normal, this is because the domain name information has been downloaded to the local machine and can be parsed directly on the local machine. Next let's take a look at whois query, take out the Veteran's Virtual Site query tool, and enter 1.XXX.net. How can this problem be solved, the IP address is. ×. ×. 2 (Figure 3). Let's try again. Ping 1.XXX.net to obtain the IP address x. 2 (figure 4 ). In fact, many websites such as Netease use similar methods to bind domain names, but they all bind correct IP addresses so that they can automatically distribute requests when the number of requests is too large.
When using this method, you must first set the wrong resolution address in the record, and then add the correct resolution. Because both whois query and ping are performed to find the IP address corresponding to the domain name in order. In addition, it is best to set the wrong IP address to a host without web services. Otherwise, the IIS of this host may help you directly go to its default main site.
Of course, using this method does not completely prevent website IP addresses from being found. As mentioned above, after successful resolution, domain name information has been completely downloaded to the local machine, we only need to view the relevant files of the Local Machine to learn the real IP address of the website (I suddenly thought that if someone intruded into a Domain Name Server (this is also common ), can he bind viruses or Trojans with Domain Name Information? As a result, the trojan will be downloaded along with the domain name resolved through that server, which is a lot of bots, sweat ). In addition, we can add parameters after ping to obtain all the IP addresses bound to a domain name. We can also use tools like explicit IP browsers to directly obtain the IP addresses of a website. However, it is sufficient to bind a domain name to the anti-cainiao whois query. If you add control over directory permissions, the bypass attack will completely die.
Attachments are related images