PDF token not working

[kavasilo]

Hi,

I have setup my zone likes this: A * x.x.x.x 600 sec NS @ ns20.domaincontrol.com 1 hour
NS @ ns40.domaincontrol.com 1 hour
SOA @ main nameserver: ns29.domaincontrol.com. 1 hour

The setup of my env files are the below Frontend.env CANARY_DOMAINS=domain.com CANARY_NXDOMAINS=domain.com

CANARY_GOOGLE_API_KEY=MY_API_KEY_HERE

CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads CANARY_MAX_UPLOAD_SIZE=1024102410

LOG_FILE=frontend.log

Switchboard.end:

CANARY_MAILGUN_DOMAIN_NAME=

CANARY_MAILGUN_API_KEY=

CANARY_MANDRILL_API_KEY=

CANARY_SENDGRID_API_KEY=my_sendgrid_api_here CANARY_PUBLIC_IP=x.x.x.x CANARY_PUBLIC_DOMAIN=domain.com CANARY_ALERT_EMAIL_FROM_ADDRESS=alert@domain.com CANARY_ALERT_EMAIL_FROM_DISPLAY="Canary Token Alert" CANARY_ALERT_EMAIL_SUBJECT="Canarytoken"

CANARY_TOKEN_RETURN=fortune

CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads

LOG_FILE=switchboard.log

If i create a pdf i don't get any alert but if i do the following:

nslookup domain.com my_ip_address_hosting_canarytokens

I get the alert.

Through wireshark i see that when i open the pdf two DNS requests are performing: 192.168.1.10 ----> 8.8.8.8 sc918xzqauaebct8z05t4ln7a.domain.com
8.8.8.8 ----> 192.168.1.10 A Record A x.x.x.x

I used your online service to create a pdf and then i inspected the network traffic via wireshark. Same dns requests are performed.

[thinkst]

Hey @kavasilo,

Sorry for the delay in my response.

In order to get PDF tokens to work, there are a few details to consider and confirm for me. I see in your frontend.env, you have made your CANARY_NXDOMAINS and CANARY_DOMAIN point at the same domain.

Would you mind trying to point that environment variable at a separate domain? You would need to point that domain at your canarytokens server IP too. Please let me know if this works for you.

[kuriackovskij]

I would like to add here, that, as it was already mentioned, NXDOMAINS has to be different than DOMAINS.

Secondly, you need to create NS record (in domain management/console from where you have got your domain). Let's say, your CANARY_DOMAINS is example.com. Then make your CANARY_NXDOMAINS as dns.example.com. At your domain provider's console create A record to example.com and map to public IP. And create NS record of dns.example.com and map it to example.com. Above will make all dns requests for "sometexthere".dns.example.com to be directed towards your example.com server (UDP/53 has to be opened on your server for Incoming!) - and that DNS querying is what triggering PDFs alerts.

@thinkst Well done guys, great idea&solution! The only downside is the lack of details and manuals.

[thinkst]

Hey @kuriackovskij,

Thanks for the step-by-by on this. I have added a version of it to our setup steps.

Thank you also for the kind words and we really appreciate all the contributions here. Please email me at jay [at] thinkst [dot] com and so that I can organise something as a thanks!

[kavasilo]

I tried to use a different domain and didn't worked thats why i posted it here in first place...Usually i read the manual and setup instruction before posting anything but i will try again...

[jayjb]

Hey @kavasilo,

I just read through your original post again (for some context) and im wondering what you tried to open the tokened pdf with? Typically we have only had high success with Adobe (other pdf readers are on our roadmap).

Would also mind posting the .env and zone file of your current setup? (you mentioned that you tried using different domains but that isn't reflected in your original question). Hopefully we can figure this out quickly and get your Canarytokens server up and running.

[jayjb]

Closing this issue because it is old. We have written up a wiki on setting up the domains for Canarytokens docker setup in the wiki