Wiki

DNS Hijack

Nowadays mobile malware is growing fast on the networks, by using the following example we could check if there is DNS hijacking for certain domains on our network and detect it. Lets see how works by using the functionality of the DNSDomain class:

import pyaiengine

Define a function that verifies that the given IP address is valid for the domain.

def verifyIPAddress(ip):
    # Code the logic for verify if and IP address is correct for the given domain
    return False

Define a callback function for the detection and IP verification.

def dns_hijack_callback(flow):

    d = flow.dns_info
    if (d):
        for dnsip in d:
            if (verifyIPAddress(dnsip) == True)
                print("DNS Hijack on ip %s domain %s" % (flow.src_ip,d.domain_name))

Create a new Virtual/cloud stack.

if __name__ == '__main__':

    st = pyaiengine.StackVirtual()

Allocate the maximum number of flows on the UDP stack.

    st.udp_flows = 1638400

Configure the DNS domain to track and verify

     dm = pyaiengine.DomainNameManager()
     dom = pyaiengine.DomainName("Domain to track",".mydomain.com")
     dom.callback = dns_hijack_callback
     dm.add_domain_name(dom)

     st.set_domain_name_manager(dm,"DNSProtocol")

Open the network device, set the stack and run the engine.

    with pyaiengine.PacketDispatcher("eth0") as pd:
        pd.stack = st
        pd.run()