private string IpReverseLookup(string ipAddress) { var reversePtr = string.Join(".", ipAddress.Split('.').Reverse()) + ".in-addr.arpa"; var objResolver = new TrustedResolver(reversePtr, _dictResolvers[_indexResolver].Api, "PTR"); var ptrValue = objResolver.DnsOverHttps(); if (ptrValue != "" && ptrValue != "NXDOMAIN") { return(ptrValue); } return(""); }
private void UpdateListView(Response response, string ipResolver) { // Get list of IP addresses returned by the untrusted resolver var untrustedAddresses = response.AnswerRecords .Where(r => r.Type == RecordType.A) .Cast <IPAddressResourceRecord>() .Select(r => r.IPAddress) .ToList(); var domainReq = response.AnswerRecords[0].Name.ToString(); var info = ""; var type = "6"; var time = DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss"); var initial = ""; // If passive mode 'on' ignore DNS over HTTPS; just records DNS responses if (cbPassive.Checked) { UpdateRow(time, ipResolver, domainReq, "", "", "", "Passive Mode", "0"); return; } initial = _dictResolvers[_indexResolver].Ini; var objResolver = new TrustedResolver(domainReq, _dictResolvers[_indexResolver].Api, "A"); var trusted = objResolver.DnsOverHttps(); var untrusted = string.Join(",", untrustedAddresses); if (trusted != "") { if (trusted == untrusted) { type = "5"; } else { if (untrustedAddresses.Count == 1) { if (trusted.Split(',').Length > 1) { info = "IP addresses do not match"; type = "6"; } else if (IsPrivate(untrusted) && trusted != "NXDOMAIN") { type = "1"; info = "Public domain gets a private IP (possible DNS Spoof)"; } else if (IsPrivate(untrusted)) { type = "4"; info = "Local resource"; } else if (trusted == "NXDOMAIN") { type = "8"; info = "Non-existent domain gets a public IP (possible DNS Spoof)"; } else // At this point trusted and untrusted are public IP addresses { var rangeC = IPAddressRange.Parse(trusted + "/255.255.255.0"); var rangeB = IPAddressRange.Parse(trusted + "/255.255.0.0"); if (rangeC.Contains(IPAddress.Parse(untrusted))) { info = "Same /24 Domain: " + rangeC; type = "3"; } else if (rangeB.Contains(IPAddress.Parse(untrusted))) { info = "Same /16 Domain: " + rangeB; type = "2"; } else { var ptrUntrust = IpReverseLookup(untrusted); var ptrTrust = IpReverseLookup(trusted); if (CompareSubdomain(ptrUntrust, ptrTrust)) { info = $"Second-level domain in common: {ptrUntrust} / {ptrTrust}"; type = "7"; } else { if (CompareSubdomain(ptrUntrust, domainReq)) { info = "Second-level domain in common: " + ptrUntrust; type = "J"; } else { if (cbWhois.Checked) { IPAddress address; if (IPAddress.TryParse(untrusted, out address)) { var ipInfo = new IpInfo(); info = WhoisIP(untrusted); } } } } } } } else if (untrustedAddresses.Count > 1 && trusted != "NXDOMAIN") { var trustedAddrSep = trusted.Split(',') .Select(IPAddress.Parse) .ToList(); if (trusted.Split(',').Length == untrustedAddresses.Count && untrustedAddresses.All(trustedAddrSep.Contains)) { type = "5"; } else { info = "IP addresses do not match"; } } } } UpdateRow(time, ipResolver, domainReq, untrusted, trusted, initial, info, type); }