bypass-firewalls-by-DNS-history – Tool to Bypass Firewalls

bypass-firewalls-by-DNS-history is a bash script (ab)uses DNS history records. This script will search for old DNS A records and check if the server replies for that domain. It also outputs a confidence level, based on the similarity in HTML response of the possible origin server and the firewall. The script also fetches the IP’s of subdomains.

bypass-firewalls-by-DNS-history - Bypass firewalls by abusing DNS history
bypass-firewalls-by-DNS-history – Bypass firewalls by abusing DNS history

This script will try to find:

  • The direct IP address of a server behind a firewall like Cloudflare, Incapsula, SUCURI …
  • An old server which still running the same (inactive and unmaintained) website, not receiving active traffic because the A DNS record is not pointing towards it. Because it’s an outdated and unmaintained website version of the current active one, it is likely vulnerable for various exploits. It might be easier to find SQL injections and access the database of the old website and abuse this information to use on the current and active website.

WAF bypass scheme

WAF Bypass explanation
WAF Bypass explanation

A normal visitor connects to a Website. The initial request is a DNS request to ask the IP of the website, so the browser of the client knows where to send the HTTP request to. For sites behind cloudflare or some other public WAF, the reply contains an IP address of the WAF itself. Your HTTP traffic flows basically through the WAF to the origin web server. The WAF blocks malicious requests and protects against (D)DoS attacks. However, if an attacker knows the IP of the origin webserver and the origin webserver accepts HTTP traffic from the entire internet, the attacker can perform a WAF bypass: let the HTTP traffic go directly to the origin webserver instead of passing through the WAF.

This script tries to find that origin IP, so you can connect directly to the origin webserver. Attacks like SQL injections or SSRF’s are not filtered and can be successfully, in contrary when there is a WAF in between which stops these kind of attacks.

You can read more and download the script over here:

Notify of
Inline Feedbacks
View all comments