CANARY_NXDOMAINS parameter not used for DNS token ?

[uggyuggy]

Hi,

My settings in frontend.env are:

CANARY_DOMAINS=mydomain.com
CANARY_NXDOMAINS=connect.mydomain.com

My DNS configurations is:

mydomain.com.   A     1.2.3.4
connect.mydomain.com.  NS   mydomain.com. 

I setup a new DNS token

Your DNS token is active!
Copy this hostname to your clipboard and use as you wish:
edgalic0x6qf207kcfjl2p3t6.mydomain.com

the generated URL does NOT contains "connect"

So making a DNS request to edgalic0x6qf207kcfjl2p3t6.mydomain.com does NOT trigger an alert. If I add "connect" so the FQDN becomes edgalic0x6qf207kcfjl2p3t6.connect.mydomain.com this does trigger the expected alert.

Why does the generated link does not automaticaly contains the "subdomain" specified into CANARY_NXDOMAINS ? I am missing another parameter ? Or may be I did not properly understood the way it works...? Not a big deal, as i can manualy add "connect".. but this may confuse some people.. This is why I'm creating the issue.

Also the CANARY_NXDOMAINS settings seems to be properly used by the Acrobat Reader PDF token. Using peepdf I can see URL looks OK

PPDF> object 16
<< /URI http://nibk6xtgkdybr4vr6s4mtsfrv.connect.mydomain.com

Thank's for your work :)

[jayjb]

Hi @uggyuggy,

Thanks for all info.

So the CANARY_NXDOMAINS is actually used for the PDF token whereas the other DNS tokens will use the CANARY_DOMAINS variable. So both should alert.

If your CANARY_DOMAINS isnt alerting then you may need to tweak your DNS setup slightly. Clearly your CANARY_NXDOMAINS setup is correct. What your NS records for mydomain.com?

From what you telling me, it looks like requests for mydomain.com aren't making it to your canarytokens server.

Let me know and we can get this sorted!

[uggyuggy]

Hi @jayjb ,

My current DNS setup is

mydomain.com.   NS   ns1.registrar.com
mydomain.com.   NS   ns2.registrar.com
mydomain.com.   A     1.2.3.4
connect.mydomain.com.  NS   mydomain.com. 

So with this setup, this makes perfect sense to me that:

• DNS request to whatever-token.mydomain.com does NOT trigger an alert (as my canary server is not defined as DNS server for mydomain.com).
• DNS request to whatever-token.connect.mydomain.com does trigger an alert (as my canary server is defined as DNS server for connect.mydomain.com so it receive the request.)

So the CANARY_NXDOMAINS is actually used for the PDF token whereas the other DNS tokens will use the CANARY_DOMAINS variable.

I guess this is the part I'm not sure to understand or at least is quite confusing to me. PDF canary token is some kind of DNS canary token ? Which is why an a NS record has to be created for it to work ? So if PDF canary token is a some kind of DNS canary token (just embeded into a PDF) , why both are not configured the same and both use CANARY_NXDOMAINS? What would not work if CANARY_NXDOMAINS would be used for DNS canary token too ?

Thank's

[jayjb]

Hi @uggyuggy,

So we do want both mydomain.com and connect.mydomain.com to use 1.2.3.4 as the DNS server.

The reason we differentiate between the two is because Adobe required a certain response for a DNS lookup that would mean that it would trigger without even allowing it (so bypassing that security pop up). So in the code, you will notice that we check whether the DNS request is aimed that a domain in CANARY_DOMAINS or CANARY_NXDOMAINS.

[uggyuggy]

Hi @jayjb

Thank you for the additional informations. Ohh.. Ok, so Acrobat require another kind of DNS answer to make the trick works... ok

Let me share my tests and investigations so far so this may help other people that would read this issue later.

So now I configured my DNS zone as below:

mydomain.com.   NS   ns1.registrar.com
mydomain.com.   NS   ns2.registrar.com
mydomain.com.   A     1.2.3.4
connect.mydomain.com.  NS   mydomain.com. 
pdf.mydomain.com.  NS   mydomain.com. 

and files:

CANARY_DOMAINS=connect.mydomain.com
CANARY_NXDOMAINS=pdf.mydomain.com
CANARY_PUBLIC_DOMAIN=connect.mydomain.com

I can see now the regular DNS Canary create expected links with "connect" mhrbpdkg7c7ikczy5u0x92fv6.connect.mydomain.com And I can see the PDF Canary create PDF containin URI with "pdf" http://qps9nx5nqb97rkwpizrkv4pfk.pdf.mydomain.com

• DNS Token tests I can see a DNS call (dig) to the DNS Canary link succesfully trigger the DNS alert. And the Canary DNS server answer with SERVFAIL status code ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26072

• PDF Token tests A DNS call (dig) to the PDF Canary link is NOT enough to trigger the PDF alert. An HTTP call (curl) to the PDF Canary link is NOT enough to trigger the PDF alert. Anyway, I see in this case the Canary DNS server answer with REFUSED status code ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 19815

=> So I can see what you mentionned about different kind of DNS answer. Note: The DNS status code during my tests is not NXDOMAIN . Because the parameter name is CANARY_NXDOMAINS, this is the status code I was expecting..

This issue could be closed now.. Tkanks !

I failed to trigger the PDF alert using DNS request (and HTTP) to the generated link embeded into the PDF. Does a dig qps9nx5nqb97rkwpizrkv4pfk.pdf.mydomain.com @mydomain.com is supposed to be enough to trigger the PDF canary ? Or Acrobat is doing some other requests and/or something different? Is there any public information available on what kind of request Acrobat Reader perform ? (I'm trying here to avoid installing it and sniff what is going on ;) )

I will continue my tests and questions.. So I may possibly later suggest some PR for few updates into the Readme

Thank's for the help

[jayjb]

Hi @uggyuggy,

Out of interest, which DNS registrar are you using?

So my understanding of the DNS setup is that you need to make your canarytokens server the authoritative server for your CANARY_DOMAINS and CANARY_NXDOMAINS. Which is why your second setup works. You have pointed connect.mydomain.com and pdf.mydomain.com at your canarytokens DNS server (1.2.3.4) by specifying that the authoritative server (signified by the NS records) of connect|pdf.mydomain.com is mydomain.com.

If you wanted your first setup to work, I believe you would have to remove the ns1.registrar.com and ns2.registrar.com records and add ns1.mydomain.com and ns2.mydomain.com pointing at mydomain.com. And since ns1|ns2.mydomain.com are subdomains of mydomain.com, you would need to add a glue record, which would be that A record.

But i think if your current setup is working, then keep it like that.

Does a dig qps9nx5nqb97rkwpizrkv4pfk.pdf.mydomain.com @mydomain.com is supposed to be enough to trigger the PDF canary ? I would suspect that with your current setup it wouldnt, you would need to use dig qps9nx5nqb97rkwpizrkv4pfk.pdf.mydomain.com @pdf.mydomain.com

Let me know how it goes and we will figure this out!

[uggyuggy]

Hi @jayjb

One problem is the registrar I use for that canary domain (this is probably the case for many registrars) does not let user build "weird" DNS setup if using their own registrar DNS for managing zone content. If registrant select "use my registrar dns servers" .. they basicaly push mydomain.ninja. NS ns.registrar.com. into the DNS servers managed by ninja. zone. and doing so, they prevent you to edit your own zone file to contain some other NS records like mydomain.ninja. NS ns.mydomain.ninja. (with ns.mydomain.ninja. being my canarytoken server) It makes sense for them to prevent this mismatch..as users will break things.

Anyway, by setting "external DNS server" at registrar level, I will be able to have them push mydomain.ninja. NS ns.NOT.the.registrar.com at registry level, and they will have no way to prevent me to edit the zone the way I want on ns.NOT.the.registrar.com

I'm doing couple of changes and I'm quite confident.. I should be able to come back to you later this week to confirm.. and possibly provide more details, so this may help also other people..

Thx !

[jayjb]

Ah thanks for the explanation. I think that is going to be useful going forward!

Keep the info coming and let me know if you have any further questions.

[uggyuggy]

Hi @jayjb I added some DNS / Domain name configuration information into the README .. and created a PR so the team can possibly integrate it... I will continue other tests and possibly ask other questions ;)

[uggyuggy]

Hi again @jayjb

I re-started a new setup on a new server / DNS configuration.

All is working as expected except I still don't understand something with the Acrobat Reader PDF token

Here is my current config

• DNS

  example.win.   A   1.2.3.4
  ns2.example.win.   A   1.2.3.4
  dl.example.win.   NS ns2.example.win.
  nx.example.win.   NS ns2.example.win.

• frontend.env

  CANARY_DOMAINS=dl.example.win
  CANARY_NXDOMAINS=nx.example.win

• switchboard.env

  CANARY_PUBLIC_IP=1.2.3.4
  CANARY_PUBLIC_DOMAIN=dl.example.win

  I have not Acrobat on my GnuLinux system so was not able to sniff what is going on. I searched more informations about the Acrobat trick and why some NXDOMAIN what required in addition to the regular DNS token. Fortunately I finally found the information into a Marco public presentation: For <token>.example.net Acrobat do first a A query to example.net but only process the <token>.example.net if the A query to example.net reply a NXDOMAIN first.

Unfortunately I'm not able to replicate that behavior for now:

I create the PDF

I check the URL inside which is as expected with my NX domain: <token>.nx.example.win

  /URI (http://u8zq26cociwedrvpbwsrax5u7.nx.example.win/PVLEICPTUVLHTRXPKTYTXFJDFDIYRHSWM)

I query that DNS record

dig A u8zq26cociwedrvpbwsrax5u7.nx.example.win

Which trigger fine the alert

switchboard    | xxxxxx [channel_output_email#info] Sent alert to xxx@xxxx for token u8zq26cociwedrvpbwsrax5u7

But the problem is that the canay server does not answer NXDOMAIN for the A without the token part:

dig A nx.example.win @ns2.example.win

; <<>> DiG 9.16.1-Ubuntu <<>> A nx.example.win @ns2.example.win
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37425
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nx.example.win.        IN  A

;; ANSWER SECTION:
nx.example.win. 0   IN  A   1.2.3.4

;; Query time: 28 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: xxxx
;; MSG SIZE  rcvd: 51

I can see in log

switchboard    | xxxxx [channel_dns#info] Query: x.x.x.x sent <Query nx.example.win A IN>

In short I don't see any difference for my regular dns token and the nx domain token. The nx does not answer NXDOMAIN so I understand with those current results, Acrobat will not trigger the token with my current setup

$ dig A nx.example.win @ns2.example.win +short
1.2.3.4
$ dig A dl.example.win @ns2.example.win +short
1.2.3.4

I tried creating the PDF token on canarytokens.org which give a token with another net domain http://<token>.canarytokens.net/xxxxx

When your regular DNS token stay on com with <token>.canarytokens.com

Indeed when I do dig A canarytokens.net , here we got the expected NXDOMAIN

I suspected something wrong with the NX domain be a subdomain instead of another different domain.. but same result.

Do you confirm the expected behavior would be dig A nx.example.win @ns2.example.win reply NXDOMAIN ? Any idea to investigate further ?

Thx

[uggyuggy]

OK, it looks I got it.

$ dig nx.example.win @ns2.example.win

; <<>> DiG 9.16.1-Ubuntu <<>> nx.example.win @ns2.example.win
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53674
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nx.example.win.        IN  A

;; Query time: 28 msec
;; SERVER:xxxxxx#53(xxxxx)
;; WHEN: xxx
;; MSG SIZE  rcvd: 35

$ docker exec -ti switchboard /bin/bash
# env | grep NX   
CANARY_NXDOMAINS=nx.example.win

In all documentation I found CANARY_NXDOMAINS must be set into frontend.env

The frontend.env contains the frontend process settings such as: CANARY_NXDOMAINS=pdf.demo.canarytokens.net

[NOTE: This step is only necessary if you want to use PDF tokens] Set the values for CANARY_NXDOMAINS in frontend.env.

frontend.env CANARY_NXDOMAINS=example3.com

canarytokens-docker/frontend.env.dist
CANARY_DOMAINS=localhost CANARY_NXDOMAINS=yourdomain.com

But it seems I got it working by adding it into switchboard.env instead of frontend.env

If confirmed, I could make a PR with places where it may have to be corrected.

[jayjb]

Hi @uggyuggy,

Thats a very interesting find. Would you mind telling me if you are using the most current version of Canarytokens? I'm looking at the code now and I see that we have that CANARY_NXDOMAINS key set for switchboard.env config.

[uggyuggy]

Hi @jayjb

I noticed this few years ago, some things may have been updated or changed since 2021.

Looking at the repo, I can find at least those where CANARY_NXDOMAINS linked to frontend.env.

Set the values for CANARY_NXDOMAINS in frontend.env.

https://github.com/thinkst/canarytokens-docker/blob/master/README.md?plain=1#L69

• frontend.env CANARY_NXDOMAINS=example3.com

https://github.com/thinkst/canarytokens-docker/blob/master/README.md?plain=1#L94

CANARY_NXDOMAINS=yourdomain.com

https://github.com/thinkst/canarytokens-docker/blob/master/frontend.env.dist#L2

The frontend.env contains the frontend process settings such as: CANARY_NXDOMAINS=pdf.demo.canarytokens.net

https://github.com/thinkst/canarytokens/blob/master/README.md?plain=1#L44

[jayjb]

Hi @uggyuggy,

I think my mind was on break but in the code, we use CANARY_NX_DOMAINS for FrontendSettings which are found in frontend.env. Sorry for the confusion. I'm closing this issue for now. If you run the current new code base and you hit the same issue, please feel free to reopen the issue.