Doing DNS Labs & Exercises on the Range¶
The Cyber Range exercise environment makes use of Virtual Machines running on Amazon Web Services. As described in the article, “What are the network and internet limits placed on my Range virtual machines?”, we describe how network traffic on the Cyber Range is safely restricted to the Range. In much the same way a gun range keeps bullets safely within the range, the Cyber Range keeps network traffic and packets safely within its network boundaries.
To make the Range as useful as possible, however, we do service web and DNS requests to the outside through our secured, monitored and throttled web proxy (for legitimate 80/443 http traffic) traffic and legitimate DNS requests (through our cloud provider’s recursive name servers) to send and fetch data for Cyber Range users. This means Cyber Range users are able to surf the external web, download software, use webmail, google-drive, and other such classwork related activities, however they cannot typically do things like external port scans, web DoS attacks, or attack web or DNS related services.
Safety Limits of Using DNS on the Cyber Range¶
When exploring DNS related security topics using the range, if you need to do basic Internet facing DNS queries, then the Range’s recursive DNS server can do that on your behalf just fine. For example, using the nslookup, host or dig commands to ask our network recursive DNS server to look up the DNS A record for www.example.com should work just fine:
$ host www.example.com      www.example.com has address 184.108.40.206
The query above works fine because your VM in the Range asks an internal 10.x or 169.x cloud DNS server to recursively go out on your behalf and get the answer. However, if you attempt to directly query an external DNS server like this:
$ host www.example.com 220.127.116.11      ;; connection timed out; no servers could be reached
Then this will fail because the query above attempted to go outside the Range and query the google nameserver (18.104.22.168) for an answer directly. This second form of DNS usage will always fail because non-proxied, outbound traffic (port 53 in this case) is simply not allowed out of the range, by design.
Simulating Enumeration and Brute Force DNS Queries¶
We do not recommend or condone enumerating or brute forcing (aggressively scanning) non-Range DNS names using our cloud provider’s DNS servers. Doing so might get your VM blocked, shutdown, or completely removed from our cloud account.
If you are an instructor and want your students to do real-world-like DNS enumeration, attacks, recon, or scans, then simply reach out to our Cyber Range Engineers about either setting you up a local DNS service (per student), or a container or VM that you and your students can safely attack and hack on. This will get you the best of both worlds: getting real world DNS recon/attack/defense experience, while also giving each student their own, dedicated, resilient DNS service that (if crashes or taken out) won’t impact the other students in the class or your own lessons (or the Internet at large).
Again, the Cyber Range keeps dangerous packets off the Internet just like a gun range keeps bullets from straying anywhere except toward range targets. This is the nature and function of a range. A safe place to do dangerous things. NOT a place to launch attacks from, or even enumerate real world systems.
However, if you do want to do something more real world and dangerous, please reach out to one of our engineers and we can probably help you set up a lab configuration to suit most any of your needs.