Project

rogue_one

0.01
No release in over 3 years
Low commit activity in last 3 years
rogue_oneninoseki/rogue_oneHomepageDocumentationSource CodeBug TrackerWiki
A rogue DNS detector
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
19,532
Stars
23
Forks
6
Watchers
4
 Releases
Current version
0.4.3
Total releases
11
First release
2019-04-25
Latest release
2021-10-10
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Pull Requests
Open Pull Requests
1
Closed Pull Requests
0
Merged Pull Requests
41
Pull Request Acceptance Rate
97%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2020-09-23
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 2.2
rake
~> 13.0
coveralls_reborn
~> 0.23
rspec
~> 3.10

Runtime

async-dns
~> 1.3
thor
~> 1.1
 Project Readme

Rogue one

Gem Version Ruby CI CodeFactor Coverage Status

A PoC tool for analyzing a rogue DNS server.

This tool could be used for checking maliciousness of a DNS server and extracting landing pages.

How it works

image

IPv4 space is vast. But an attacker could secure a few numbers of IP addresses for landing pages. It means you can (probably) find malicious landing pages by using the following methods.

  • Resolving a bunch of domains by using a DNS server.
  • Finding frequent IPv4s from the resolutions. They might be landing pages.
  • If a DNS server has landing pages, it might be a rogue one.

Requirements

  • Ruby 3.x / Ruby 2.7+

Installation

gem install rogue_one

Usage

$ rogue_one
Commands:
  rogue_one help [COMMAND]       # Describe available commands or one specific command
  rogue_one report [DNS_SERVER]  # Show a report of a given DNS server

$ rogue_one help report
Usage:
  rogue_one report [DNS_SERVER]

Options:
  [--custom-list=CUSTOM_LIST]    # A path to a custom list of domains
  [--default-list=DEFAULT_LIST]  # A default list of top 100 domains (Alexa or Fortune)
                                 # Default: alexa
  [--record-type=RECORD_TYPE]    # A type of the DNS resource to check
                                 # Default: A
  [--threshold=N]                # Threshold value for determining malicious or not
  [--verbose], [--no-verbose]

Show a report of a given DNS server

$ rogue_one report 1.1.1.1
{
  "verdict": "benign one",
  "landing_pages": [

  ]
}

$ rogue_one report 1.53.252.215
{
  "verdict": "rogue one",
  "landing_pages": [
    "1.171.168.19",
    "1.171.170.228",
    "61.230.102.66"
  ]
}

$ rogue_one report 171.244.3.111 --custom-list tmp/roaming.yml
{
  "verdict": "rogue one",
  "landing_pages": [
    "154.223.53.53",
    "58.82.243.9"
  ]
}
# Note: a custom list should be an array of domains in a YAML file.
Key Desc.
verdict A detection result (rogue one or benign one)
landing_pages An array of IP of landing pages
results DNS resolution results (only available if --verbose option is specified)

Notes

  • This is just a PoC tool. I cannot guarantee the results with high confidence at the moment.

License

The gem is available as open source under the terms of the MIT License.