Burp Suite User Forum

Login to post

When deploying private burp collaborator, allow ability to add custom DNS records of A type.

John | Last updated: Dec 19, 2021 02:33PM UTC

Currently as mentioned in the docs: https://portswigger.net/burp/documentation/collaborator/deploying field "customDnsRecords" only allows us to specify optional DNS records of type TXT and CNAME, it makes sense for the functionality to also be extended for A records. Reason being, for the current set-up of burp collaborator to work we need to use our server as an authoritative DNS. Meaning, currently running collaborator process is the only party that decides which DNS records will be served for our domain. Now, because we can't specify optional A records, this forbids us from running any other services on other ports on the same machine with support for TLS.

Michelle, PortSwigger Agent | Last updated: Dec 20, 2021 01:53PM UTC

Thanks for getting in touch and sharing your ideas. To help us build a better picture around your request, could you tell us a few more details about our use case, please? If you'd rather share these directly so you can provide specific examples that you would not want to share on a public forum, feel free to email them to support@portswigger.net. It would be good to understand the examples in your specific scenario (e.g. domains being used for the other services) and make sure we are correctly understanding the impact on the other domains/services. We look forward to hearing more from you :)

John | Last updated: Dec 20, 2021 02:19PM UTC

Lets say i own a server running in the cloud and i also own the domain name "example.com". What i want to do are 2 things: 1. Assign "example.com" (including all the subdomains) to my server. 2. Run a private collaborator on my server. To do so, on the server side i just go through all the steps as mentioned in the link above. But one of those steps includes changing authoritative DNS server for "example.com", so that instead of my domain name provider (like godaddy) being in charge of DNS records for "example.com", my server in the cloud will be the one answering any DNS requests regarding "example.com". Once that step is done, from now on the only entity in the world that can actually answer any DNS requests in regards to "example.com" is the collaborator process we are running on my server. That process happens to be solely controlled by a single config file. Now inside of this config file we can specify a different subdomain that our collaborator server will be assigned to, lets say we define it as "collaborator.example.com" inside of our config file. Then, once any client sends a DNS request for "collaborator.example.com" OR any subdomains of that domain, they will successfully retrieve A record, and will be able to resolve the domain name to the correlating IP, and as a result reach my server. But now the problem is, "collaborator.example.com" is the ONLY subdomain that we can fetch the IP of (and sub-subdomains), for example, now we can't start a mail server as another process on our server and try to reach it from outside by the domain name "mail.example.com", or say run a different web-server alongside the collaborator, located on "www.example.com". We can't do any of that because config file does not give us that option, the only thing it allows us currently is to add some optional records of type TXT and CNAME, but what we need is direct A records.

Michelle, PortSwigger Agent | Last updated: Dec 21, 2021 03:12PM UTC

Hi Thanks for adding some more detail to your use case. We've raised that as a feature request with the developers. I don't have any timescales for this as it will first of all need to go through and be reviewed. If we need any additional details, I'll be in touch. I have also linked this thread so that we can let you know when there are any updates. Please let me know if you've got any questions.

Michelle, PortSwigger Agent | Last updated: Mar 29, 2022 11:40AM UTC

This feature request has been reviewed and it is something we have decided we will not be taking further. We would suggest using a dedicated subdomain for the private collaborator server.

Rkssh | Last updated: Jul 03, 2022 11:30AM UTC


You need to Log in to post a reply. Or register here, for free.