Intro
For demonstration purposes I’ve written a WEB interface to do DNS queries. This can be used for light querying. Once it gets abused I will pull it from the web site.
Motivation
Some large enterprises are behind not only a corporate firewall, but also confined to a private namespace with no access to Internet name resolution. Users in such situations can use one of the many available tools to do DNS resolution through the web, but they all want to throw advertising at you and it’s not clear which can be trusted not to load you up with spyware. I am offering this ad-free DNS lookup using my position on the Internet as a trusted source.
And if you’re lucky and looking for code to do this yourself, you might find it. But nowhere will you find a site that’s running its own published code for DNS resolution. Except here.
The code
Admittedly very simple-minded, but hopefully not fatally flawed, here it is in Perl.
#!/usr/bin/perl
use CGI;
$query = new CGI;
%allowedArgs = (domainname => 'dum',type => 'dum',short => 'dum');
#
print "Content-type: text/html\n\n";
print " |
#!/usr/bin/perl
use CGI;
$query = new CGI;
%allowedArgs = (domainname => 'dum',type => 'dum',short => 'dum');
#
print "Content-type: text/html\n\n";
print "
\n";
foreach $key ($query->param) {
exit(1) unless defined $allowedArgs{$key};
exit(1) if $query->param($key) !~ /^([a-zA-Z0-9\.-]){2,256}$/;
print "$key " . $query->param($key) . "\n";
}
# possible keys: domainname, type
$domainname = $query->param(domainname);
$type = $query->param(type);
$type = "any" unless $type;
# argument validation checks
exit(1) if $domainname !~ /^([a-zA-Z0-9\.-]){2,256}$/ || $domainname =~ /\.\./ || ! $domainname;
exit(1) if $type !~ /^([a-zA-Z]){1,8}$/;
# short answer?
$short = "+short" if defined $query->param(short);
# authoritative request?
if (defined $query->param(authoritative)) {
# this will be a lot more complicated and so is not implemented. Perhaps someday if there is a request...
}
open(DIG,"dig $short $type $domainname|") || die "Cannot run dig!!\n";
while() {
print ;
}
Yes it’s very old-school. I do not even use a DNS package. Why bother? It’s not rocket science. There’s a lot more to argument validation than it looks like – you would not believe the evil things people send to your web server. So you have to vigilant about injection attacks or shelling out by use of unexpected characters.
Usage
2020 Update
This URL has been deactivated since I moved to my new server. I’ll have to see if there’s time and interest to restore this functionality.
example 1
https://drjohnstechtalk.com/cgi-bin/digiface.cgi?domainname=johnstechtalk.com&type=a
domainname johnstechtalk.com
type a
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> a johnstechtalk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8711
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;johnstechtalk.com. IN A
;; ANSWER SECTION:
johnstechtalk.com. 3600 IN A 50.17.188.196
;; Query time: 10 msec
;; SERVER: 172.16.0.23#53(172.16.0.23)
;; WHEN: Mon May 4 14:59:05 2015
;; MSG SIZE rcvd: 51 |
domainname johnstechtalk.com
type a
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> a johnstechtalk.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8711
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;johnstechtalk.com. IN A
;; ANSWER SECTION:
johnstechtalk.com. 3600 IN A 50.17.188.196
;; Query time: 10 msec
;; SERVER: 172.16.0.23#53(172.16.0.23)
;; WHEN: Mon May 4 14:59:05 2015
;; MSG SIZE rcvd: 51
example 2
https://drjohnstechtalk.com/cgi-bin/digiface.cgi?domainname=drjohnstechtalk.com&short
domainname drjohnstechtalk.com
short
50.17.188.196 |
domainname drjohnstechtalk.com
short
50.17.188.196
Familiarity with dig will help you determine the best switches to use as you can see that at the end of the day it is merely calling dig and sending back that output with a minimum of html markup. This will make it easy to parse the output programatically.
Conclusion
A simple DNS web interface is being announced today. Both the service and the code are being made available. The service may be pulled once it becomes abused.
References
2024 update
I learned about this basic but useful web interface to dig today: https://www.digwebinterface.com/
A nice, not too commercial web interface to dig and traceroute that is more user-friendly than mine is http://www.kloth.net/services/dig.php
The dig man pages can be helpful.
Got a geoDNS entry? Although this link has ads, it’s quite interesting because it sends your query to open DNS servers around the world: https://dnschecker.org/.
You can explore some details behind Google’s public resolving server 8.8.8.8 by using the web site: https://dns.google.com/. It’s quite helpful.
I won’t paste the link to my service but you can see what it is from the examples above.
There’s a simple but effective DIG available for your Android smartphone from the Playstore. That’s DNS debugger from TurboBytes. No obnoxious ads and yet no cost.
Of course if you are on the Internet and have access to dig, Google’s DNS servers are available for you to use directly.
Want to learn if the Great Friewall of China is clobbering the expected DNS result? The site https://viewdns.info/chinesefirewall/ is designed to do just that.
