Closed kavasilo closed 3 years ago
Hey @kavasilo,
Sorry for the delay in my response.
In order to get PDF tokens to work, there are a few details to consider and confirm for me. I see in your frontend.env
, you have made your CANARY_NXDOMAINS
and CANARY_DOMAIN
point at the same domain.
Would you mind trying to point that environment variable at a separate domain? You would need to point that domain at your canarytokens server IP too. Please let me know if this works for you.
I would like to add here, that, as it was already mentioned, NXDOMAINS has to be different than DOMAINS.
Secondly, you need to create NS record (in domain management/console from where you have got your domain). Let's say, your CANARY_DOMAINS
is example.com
. Then make your CANARY_NXDOMAINS
as dns.example.com
.
At your domain provider's console create A record
to example.com
and map to public IP. And create NS record
of dns.example.com
and map it to example.com
.
Above will make all dns requests for "sometexthere".dns.example.com to be directed towards your example.com
server (UDP/53 has to be opened on your server for Incoming!) - and that DNS querying is what triggering PDFs alerts.
@thinkst Well done guys, great idea&solution! The only downside is the lack of details and manuals.
Hey @kuriackovskij,
Thanks for the step-by-by on this. I have added a version of it to our setup steps.
Thank you also for the kind words and we really appreciate all the contributions here. Please email me at jay [at] thinkst [dot] com and so that I can organise something as a thanks!
I tried to use a different domain and didn't worked thats why i posted it here in first place...Usually i read the manual and setup instruction before posting anything but i will try again...
Hey @kavasilo,
I just read through your original post again (for some context) and im wondering what you tried to open the tokened pdf with? Typically we have only had high success with Adobe (other pdf readers are on our roadmap).
Would also mind posting the .env
and zone file of your current setup? (you mentioned that you tried using different domains but that isn't reflected in your original question). Hopefully we can figure this out quickly and get your Canarytokens server up and running.
Closing this issue because it is old. We have written up a wiki on setting up the domains for Canarytokens docker setup in the wiki
Hi,
I have setup my zone likes this: A * x.x.x.x 600 sec NS @ ns20.domaincontrol.com 1 hour
NS @ ns40.domaincontrol.com 1 hour
SOA @ main nameserver: ns29.domaincontrol.com. 1 hour
The setup of my env files are the below Frontend.env CANARY_DOMAINS=domain.com CANARY_NXDOMAINS=domain.com
CANARY_GOOGLE_API_KEY=MY_API_KEY_HERE
CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads CANARY_MAX_UPLOAD_SIZE=1024102410
LOG_FILE=frontend.log
Switchboard.end:
CANARY_MAILGUN_DOMAIN_NAME=
CANARY_MAILGUN_API_KEY=
CANARY_MANDRILL_API_KEY=
CANARY_SENDGRID_API_KEY=my_sendgrid_api_here CANARY_PUBLIC_IP=x.x.x.x CANARY_PUBLIC_DOMAIN=domain.com CANARY_ALERT_EMAIL_FROM_ADDRESS=alert@domain.com CANARY_ALERT_EMAIL_FROM_DISPLAY="Canary Token Alert" CANARY_ALERT_EMAIL_SUBJECT="Canarytoken"
CANARY_TOKEN_RETURN=fortune
CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads
LOG_FILE=switchboard.log
If i create a pdf i don't get any alert but if i do the following:
nslookup domain.com my_ip_address_hosting_canarytokens
I get the alert.
Through wireshark i see that when i open the pdf two DNS requests are performing: 192.168.1.10 ----> 8.8.8.8 sc918xzqauaebct8z05t4ln7a.domain.com
8.8.8.8 ----> 192.168.1.10 A Record A x.x.x.x
I used your online service to create a pdf and then i inspected the network traffic via wireshark. Same dns requests are performed.