DNS Canarytoken not working

[palak-sethia]

@thinkst Hi, I have done setup of canarytoken and canarytoken-docker projects in my machine. I have created a DNS entry in my Hosts file and did changes in frontend.env and switchboard.env accordingly so that they point to my local DNS URL. I have added my own email configurations.

Then for when I generate canary token from /generate page. For web bugs, it is working properly and I am receiving email alert notification. But for DNS canary token, when I open <token>.localdomain, I am redirected to /generate page, but not getting email notification.

Can you suggest something where is the gap in configurations?

[thinkst]

Hi There,

Sorry that you are having difficulty with the Canary Tokens project. We are looking into the issue. Could I please ask you to try the following command to test your DNS token. In a terminal would you mind trying the following command:

• host .demo.canarytokens.net 127.0.0.1

This command will attempt a hostname lookup of the tokenised address through the DNS server at 127.0.0.1 (your local machine). If you would like it to lookup the hostname through a different DNS server address, simply change the 127.0.0.1 to the desired address. Once this command is run, you mind checking that the request is going through by checking the logs. To do this, use the following commands:

• docker exec -ti switchboard bash

Once inside the docker instance, you can run:

• tail -f switchboard.log

This will allow you to see as the requests come through to your docker instance of CanaryTokens server. Now you can try the HTTP token again and check that you are observing the correct logs. Then try your DNS token using the command above and see if the tokens are getting triggered still. Please let us know if you need additional assistance or if you succeed.

Kind Regards, Jason

On Wed, Oct 19, 2016 at 12:43 PM shahpalak02 notifications@github.com wrote:

Hi, I have done setup of canarytoken and canarytoken-docker projects in my machine. I have created a DNS entry in my Hosts file and did changes in frontend.env and switchboard.env accordingly so that they point to my local DNS URL. I have added my own email configurations.

Then for when I generate canary token from /generate page. For web bugs, it is working properly and I am receiving email alert notification. But for DNS canary token, when I open .localdomain, I am redirected to /generate page, but not getting email notification.

Can you suggest something where is the gap in configurations?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/thinkst/canarytokens/issues/8, or mute the thread https://github.com/notifications/unsubscribe-auth/AM8MAQn5ZDJ1cn3kLM_QEY2myyw-YUmpks5q1fRigaJpZM4Ka0fE .

Kind Regards, Jason Bissict Thinkst Applied Research

[palak-sethia]

@thinkst thanks for the quick response, I still could not find solution. Let me explain you my local setup.

canarytoken project setup is up and running through your docker compose file. The local setup is accessible via http://127.0.0.1/generate :+1:

Now I have added following line in local machine hosts to access canarytoken project using some domain name 127.0.0.1 canary.local

So now I am able to generate new token using following url in my local system: http://canary.local/generate

I have generated new token using above link and following url is appeared under Web bugs section: http://canary.local/articles/tags/feedback/u99hlj6duu4awt1crcnohameq/submit.aspx

When I open above url, mail is triggered :+1:

DNS Tokens section has following details: u99hlj6duu4awt1crcnohameq.canary.local

As I am running this project in my local machine, I have added above host in my local hosts file to access above DNS token 127.0.0.1 canary.local 127.0.0.1 u99hlj6duu4awt1crcnohameq.canary.local

But now when I try accessing curl u99hlj6duu4awt1crcnohameq.canary.local mail is not triggering and there is no new line printed in switchboard.log file :(

[blikenoother]

Facing same issue. Tried dnsmasq but could not resolve

[4auvar]

Hi @thinkst,

host <token>.demo.canarytokens.net 127.0.0.1 works for me. But when I use ping <token>.demo.canarytokens.net it doesn't works.

I have setup in my local environment having some internal IP, gateway, DNS server (I think this should not be the barrier).

I have setup DNS server such a way that ping <token>.demo.canarytokens.net gives reply but alert does not get triggered.

I have tried my local machine IP as CANARY_PUBLIC_IP.

Can you please guide me to setup in my local environment.

[thinkst]

Hi @gauravnayak210,

Sorry for the delayed response. What you are seeing there is expected. When you using the host command you are specifying which DNS server to use to resolve the <token>.demo.canarytokens.net address. The address is sent to your Canarytokens DNS server which then triggers the alert. However, with the ping command, I suspect your PC is reaching out over the internet to resolve that address - hence you receive a reply but not an alert.

If you would like ping to trigger an alert in your local environment, you will need to setup your local machine to attempt to resolve the addresses through your local Canarytokens docker instance first.

Please feel free to contact me with more queries.

[thinkst]

Hey @shahpalak02,

Sorry for the delayed response (I really hope you got it working).

I just wanted to quickly explain why adding the DNS token to your hosts file won't make it work. The hosts file is used for direct mapping of a name and an IP.

So adding 127.0.0.1 u99hlj6duu4awt1crcnohameq.canary.local will not cause your token to trigger because u99hlj6duu4awt1crcnohameq.canary.local will be mapped to 127.0.0.1. So your local Canarytokens docker instance will not receive a DNS resolution request of that u99hlj6duu4awt1crcnohameq.canary.local since that name already has an IP resolved for it.

Please let me know if I can help you get it up and running. And thanks for taking the time to have some fun with it!

[thinkst]

Haven't heard back about these issues yet. Closing the issue for now.

[jaswinder97]

@jayjb I am using just one domain with my DNS records over cloudflare. but DNS ping request to DNS tokens doesn't reach my server. Do you know why this is happening?

[jayjb]

Hi @jaswinder97,

I think the first test would be to try ping your Canarytokens server using a command like host <domain> where <domain> is your domain. If this works, then we need to maybe look at your DNS setup.

For your Canarytokens to work over DNS, your Canarytokens server needs to be the authoritative DNS server for your domain. Please let me know what your Canarytokens domain DNS zone file looks like so we can try debug this together.

[jaswinder97]

@jayjb yes it works using the above command for ping like

host blueclouddrive.com

it gives: blueclouddrive.com has address 52.10.92.6

here is a screenshot of the domain DNS cone file :

here is my fronend.env settings:

#Enter number so 1024*1024*10 = 10485760
CANARY_MAX_UPLOAD_SIZE=10485760
LOG_FILE=frontend.log
CANARY_DOMAINS=blueclouddrive.com
CANARY_NXDOMAINS=blueclouddrive.com
CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads

here is my switchboard.env settings:

CANARY_PUBLIC_IP=52.10.92.6
CANARY_PUBLIC_DOMAIN=blueclouddrive.com
CANARY_ALERT_EMAIL_FROM_ADDRESS=jaswindersinghsn97@gmail.com
CANARY_ALERT_EMAIL_FROM_DISPLAY="Bluecloud Canarytokens"
CANARY_ALERT_EMAIL_SUBJECT="ALERT - Bluecloud Canarytoken Triggered"
CANARY_TOKEN_RETURN=fortune
CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads
LOG_FILE=switchboard.log

All containers are working properly:

CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                                        NAMES
ade0b30b9e5a        thinkst/certbot-nginx   "/bin/sh -c /start.sh"   5 minutes ago       Up 5 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                     nginx
e077609d9807        thinkst/canarytokens    "bash -c 'rm -f sw..."   5 minutes ago       Up 5 minutes        0.0.0.0:25->25/tcp, 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp   switchboard
b0fdcf74caa5        thinkst/canarytokens    "bash -c 'rm -f su..."   5 minutes ago       Up 5 minutes                                                                     frontend
06e2de81ce7d        redis                   "docker-entrypoint..."   5 minutes ago       Up 5 minutes        6379/tcp                                                     redis

[jaswinder97]

@jayjb could you please look into this ASAP today

I put everything on hold till then

[jaswinder97]

@jayjb here is the event log from frontend.env

2020-04-29 17:34:27+0000 [HTTPChannel,77,172.18.0.5] Saved canarydrop: {'browser_scanner_enabled': False, 'alert_webhook_url': '', 'timestamp': '1588181667.975124', 'memo': 'qweqweqw testign DNS hit', 'alert_sms_enabled': False, 'generated_url': 'http://blueclouddrive.com/feedback/vshmgg0t855gfzjjpko0owl3c/post.jsp', 'alert_email_recipient': 'gstjiyyyyyyy@gmail.com', 'web_image_enabled': False, 'canarytoken': 'vshmgg0t855gfzjjpko0owl3c', 'auth': 'a608f793e3c19e88fe1623bc960b6300', 'alert_webhook_enabled': False, 'alert_email_enabled': True, 'user': 'Anonymous'}
2020-04-29 17:34:27+0000 [HTTPChannel,77,172.18.0.5] **Send email:gstjiyyyyyyy@gmail.com to port:45800 topic:10101**

Seems like it has email sent log but I haven't received it yet.

although webbug tokens are working fine and I received trigger emails for those

[jayjb]

Hi @jaswinder97,

Sorry for the delay; and thanks for the all the details.

So if i look at the log line you sent me; that test looks to be a HTTP token. The reason I say this is because the 'generated_url': 'http://blueclouddrive.com/feedback/vshmgg0t855gfzjjpko0owl3c/post.jsp' would be the url that you put somewhere it will get triggered.

If you look at that url, you will notice that the token vshmgg0t855gfzjjpko0owl3c is in the subdirectory. If this was a DNS Canarytoken it would be present in the sub domain (i.e. vshmgg0t855gfzjjpko0owl3c.blueclouddrive.com). So please make sure that you are creating a DNS token if you are using a DNS lookup to test triggering the Canarytoken.

Do you mind creating a DNS Canarytoken and trying to trigger that? (The token would be of the format xxxxx.blueclouddrive.com). You can then trigger it but host xxxxx.blueclouddrive.com.

Please let me know how this test goes and we can move forward from there.

[jaswinder97]

@jayjb sorry the previous logs were for http trigger.

here is the screenshot of ping to DNS trigger for nat6m8aieeismjzdh3y97dxvg.blueclouddrive.com

here is of switchboard container (not receiving ping requests in logs):

[jayjb]

Hi @jaswinder97,

Thanks for the update. So i was looking at your setup and I think there are two things we need to fix (or atleast try).

For the DNS setup, we need to make sure that your Canarytokens server is the authoritative DNS server for your domain. To do this, you can see in your screenshot that CloudFlare tells you what to point your nameservers towards so I would suggest making that change first.

You will also need to decide whether that "proxied" status is useful. Doing a little bit of research, it seems that that means CloudFlare will determine what traffic is sent through. So its possible it is doing some blocking there.

Please check these and let me know.

[jaswinder97]

@jayjb I decided to move everything to godaddy now with same records but still no success.

could you please share your DNS zone file settings and frontend.env & switchboard.env for http://canarytokens.org/

[jaswinder97]

@jayjb I really need your help ASAP please

I have verified DNS zone file records and all are correct.

It could be something wrong with nginx.conf file which may prevent subdomains request in dockers. Could you please share your settings for canarytokens.org

[jayjb]

Hi @jaswinder97,

Im not sure that changing the DNS provider will help, but lets see what we can do. Looking at your .env files, you will need to change the CANARY_DOMAINS=blueclouddrive.com CANARY_NXDOMAINS=nx.blueclouddrive.com Then add nx.blueclouddrive.com to your DNS as an A record pointing towards your Server IP.

With regards to the nginx.conf, are you trying to run this server as HTTPS or HTTPS (they use different nginx.conf files).

[jaswinder97]

@jayjb could you please share your .env settings for https://canarytokens.org

[jayjb]

@jaswinder97, here is a redacted version of the canarytokens.org env files:

switchboard.env: CANARY_MAILGUN_DOMAIN_NAME=domain.com CANARY_MAILGUN_API_KEY= CANARY_PUBLIC_IP= CANARY_PUBLIC_DOMAIN=domain.com CANARY_ALERT_EMAIL_FROM_ADDRESS=noreply@domain.com CANARY_ALERT_EMAIL_FROM_DISPLAY=Canarytoken Mailer CANARY_ALERT_EMAIL_SUBJECT=Your Canarytoken was Triggered CANARY_NXDOMAINS=nx.domain.com CANARY_IPINFO_API_KEY= CANARY_TOKEN_RETURN=fortune CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads LOG_FILE=/logs/switchboard.log

frontend.env: CANARY_DOMAINS=domain.com CANARY_NXDOMAINS=nx.domain.com CANARY_GOOGLE_API_KEY= CANARY_AWSID_URL= CANARY_WEB_IMAGE_UPLOAD_PATH=/uploads CANARY_MAX_UPLOAD_SIZE=10485760 LOG_FILE=/logs/frontend.log

[jaswinder97]

@jayjb thanks for sharing it but would like an explaination to understand how DNS tokens trigger request will reach our docker network and does nginx container will listen it at port 80 or DNS port?

let me know where does the request will enter into our docker network when someone tries to do:

ping nat6m8aieeismjzdh3y97dxvg.blueclouddrive.com or

host nat6m8aieeismjzdh3y97dxvg.blueclouddrive.com

[jayjb]

Hi @jaswinder97,

In terms of understanding the architecture; you can can a look at the canarytokens docker's docker-compose.yml. That .yml will tell you the relationship between the different docker containers and on which ports each container is listening.

But basically when a DNS request is triggered, the switchboard container maps traffic on port 53 (DNS port) to port 53 internally; which the switchboard application is listening on.

The nginx container maps port 80 to port 80 internally; which is the usual HTTP port and the port that our nginx is providing proxy services. It delegates whether the HTTP request should go to the frontend application running in the frontend container, or whether it should go towards the switchboard application running in the switchboard container.

[jaswinder97]

@jayjb I found something is broken when I updated base docker image for containers from 16.04 to 18.04 in Dockerfile.

Look at these switchboard container logs:

switchboard    | 2020-05-07 06:59:21+0000 [-] query=Query('23-126-99-130.lightspeed.rcsntx.sbcglobal.net', 1, 1),src_ip='172.18.0.1'
switchboard    | 2020-05-07 06:59:21+0000 [DNSDatagramProtocol (UDP)] Unhandled Error
switchboard    |    Traceback (most recent call last):
switchboard    |    Failure: exception.NoCanarytokenFound: No Canarytoken found in 23-126-99-130.lightspeed.rcsntx.sbcglobal.net
switchboard    |    
switchboard    | 2020-05-07 06:59:22+0000 [-] query=Query('23-248-84-162.tpia.execulink.com', 1, 1),src_ip='183.136.225.135'
switchboard    | 2020-05-07 06:59:22+0000 [DNSDatagramProtocol (UDP)] Unhandled Error
switchboard    |    Traceback (most recent call last):
switchboard    |    Failure: exception.NoCanarytokenFound: No Canarytoken found in 23-248-84-162.tpia.execulink.com

Now, after looking at switchboard.tac file, it seems like it depends on a package twisted which requires 18.04 base image as on 16.04 the frontend & switchboard build fails as per this issue reported at: https://github.com/thinkst/canarytokens-docker/issues/52

Please let me know what versions of base images you are running and any resolution to 18.04 updates along with required python packages

[jaswinder97]

@jayjb I really need your help to fix it. Can we do a quick call over skype please?

[jaswinder97]

Hi @jaswinder97,

Im not sure that changing the DNS provider will help, but lets see what we can do. Looking at your .env files, you will need to change the CANARY_DOMAINS=blueclouddrive.com CANARY_NXDOMAINS=nx.blueclouddrive.com Then add nx.blueclouddrive.com to your DNS as an A record pointing towards your Server IP.

With regards to the nginx.conf, are you trying to run this server as HTTPS or HTTPS (they use different nginx.conf files).

I just queried DNS lookups and haven't found any A record for nx.canarytokens.org

[jayjb]

Hi @jaswinder97,

If we do a DNS lookup on the addresses, you would get something like this: $ host nx.canarytokens.com nx.canarytokens.com has address 52.18.63.80 $ host canarytokens.org canarytokens.org has address 52.18.63.80

[jaswinder97]

@jayjb yes the token triggers are working with ip address along with host as:

host odi8uw0xidlkgcblizkb37vbj.blueclouddrive.com 52.10.92.6

But not sure why its not working with:

host odi8uw0xidlkgcblizkb37vbj.blueclouddrive.com

[Shango-13]

Hello,

I am with a similar issue from OP.

'' web bugs, it is working properly and I am receiving email alert notification. But for DNS canary token, when I open .localdomain, I am redirected to /generate page, but not getting email notification."

but in my case when i check switchboard.log output i get 'Error in render GET: No Canarytoken found in /favicon.ico'

I cannot found any placing reporting this?

Help please