New analyzer : Google DNS over HTTPS

[0xswitch]

Hi,

I just finished to develop a new analyser based on the Google DNS resolver over HTTPS

This analyzer accepts ip, domain and fqdn observable and return the different associated provided by this google service.

There are already analyzer who provides DNS records however this one is free and doesn't need an api key. Moreover it can be used behind a corporate proxy which allow only http and https flux.

[crackytsi]

Thanks for contributing this analyzer.
I have no clue why but when I run it on console
echo '{"data":"8.8.8.8", "dataType":"ip"}' | python3 GoogleDNS/GoogleDNS_resolve.py
it works smoth, but from within Cortex or TheHive it fails with

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

[3c7]

@crackytsi Can you post the console output?

[crackytsi]

root@test:/opt/Cortex-Analyzers/analyzers# echo '{"data":"8.8.8.8", "dataType":"ip"}' | python GoogleDNS/GoogleDNS_resolve.py
{"success": true, "summary": {"taxonomies": [{"predicate": "RecordsCount", "namespace": "GoogleDNS", "level": "info", "value": 1}]}, "full": {"Comment": "Response from 216.239.38.10.", "TC": false, "AD": false, "CD": false, "Status": "No Error", "Answer": [{"name": "8.8.8.8.in-addr.arpa.", "data": "google-public-dns-a.google.com.", "TTL": 21599, "type": "PTR"}], "Question":[{"name": "8.8.8.8.in-addr.arpa.", "type": "*"}], "RA": true, "RD": true}, "artifacts": []}

[crackytsi]

@3c7
More pretty:

echo '{"data":"8.8.8.8", "dataType":"ip"}' | python3 GoogleDNS/GoogleDNS_resolve.py | json_pp
{
   "success" : true,
   "full" : {
      "RA" : true,
      "TC" : false,
      "AD" : false,
      "Status" : "No Error",
      "CD" : false,
      "Answer" : [
         {
            "type" : "PTR",
            "data" : "google-public-dns-a.google.com.",
            "TTL" : 21599,
            "name" : "8.8.8.8.in-addr.arpa."
         }
      ],
      "Question" : [
         {
            "type" : "*",
            "name" : "8.8.8.8.in-addr.arpa."
         }
      ],
      "Comment" : "Response from 216.239.38.10.",
      "RD" : true
   },
   "artifacts" : [],
   "summary" : {
      "taxonomies" : [
         {
            "value" : 1,
            "namespace" : "GoogleDNS",
            "level" : "info",
            "predicate" : "RecordsCount"
         }
      ]
   }
}

[0xswitch]

@crackytsi thats weird it should be the opposite, when using through The Hive or Cortex it add lot of additional information like proxy.

Btw echo '{"data":"8.8.8.8", "dataType":"ip"}' | python3 GoogleDNS/GoogleDNS_resolve.py, doesn't work for me, but it does correctly through Cortex ..

[crackytsi]

how does it fail?

[0xswitch]

No sorry it also work (I just forget to add my proxy). But if it work there it should work through the Hive or Cortex. Didn't you miss something in Cortex configuration like proxy or ?

[crackytsi]

No, I haven't configured a Proxy. Actually there seems to be nothing the needs to be configured...

[3c7]

Gave it a spin:

./GoogleDNS_resolve.py <<< '{
"dataType": "domain",
"data": "google.de"
}'
{"success": true, "summary": {"taxonomies": [{"level": "info", "namespace": "GoogleDNS", "predicate": "RecordsCount", "value": 14}]}, "artifacts": [{"type": "ip", "value": "216.58.207.35"}, {"type": "ip", "value": "2a00:1450:4001:824::2003"}], "full": {"Status": "No Error", "TC": false, "RD": true, "RA": true, "AD": false, "CD": false, "Question": [{"name": "google.de.", "type": "*"}], "Answer": [{"name": "google.de.", "type": "A", "TTL": 299, "data": "216.58.207.35"}, {"name": "google.de.", "type": "AAAA", "TTL": 299, "data": "2a00:1450:4001:824::2003"}, {"name": "google.de.", "type": "NS", "TTL": 21599, "data": "ns2.google.com."}, {"name": "google.de.", "type": "MX", "TTL": 599, "data": "20 alt1.aspmx.l.google.com."}, {"name": "google.de.", "type": "NS", "TTL": 21599, "data": "ns1.google.com."}, {"name": "google.de.", "type": "MX", "TTL": 599, "data": "40 alt3.aspmx.l.google.com."}, {"name": "google.de.", "type": "MX", "TTL": 599, "data": "50 alt4.aspmx.l.google.com."}, {"name": "google.de.", "type": "SOA", "TTL": 59, "data": "ns1.google.com. dns-admin.google.com. 208024379 900 900 1800 60"}, {"name": "google.de.", "type": "MX", "TTL": 599, "data": "10 aspmx.l.google.com."}, {"name": "google.de.", "type": "MX", "TTL": 599, "data": "30 alt2.aspmx.l.google.com."}, {"name": "google.de.", "type": "TXT", "TTL": 299, "data": "\"v=spf1 -all\""}, {"name": "google.de.", "type": "CAA", "TTL": 21599, "data": "0 issue \"pki.goog\""}, {"name": "google.de.", "type": "NS", "TTL": 21599, "data": "ns3.google.com."}, {"name": "google.de.", "type": "NS", "TTL": 21599, "data": "ns4.google.com."}], "Comment": "Response from 216.239.38.10."}}

Seems to work.

@0xswitch could you change the shebang to #!/usr/bin/env python3? That way virtual environments work. :)

(echo '{"data": "google.de", "dataType": "domain"}' | ./GoogleDNS_resolve.py works as well, ofc)

[crackytsi]

Sorry, I forgot to set executable flag. Sorry works fine :)