Skip to content

Doing DNS Labs & Exercises on the Range

The Cyber Range exercise environment makes use of Virtual Machines running on Amazon Web Services. As described in the article titled, What are the network and internet limits placed on my Range virtual machines?, we describe how network traffic on the Cyber Range is safely restricted to the Range. In much the same way a gun range keeps bullets safely within the range, the Cyber Range keeps network traffic and packets safely within its network boundaries.

To make the Range as useful as possible, however, we do service web and DNS requests to the outside through our secured, monitored and throttled web proxy (for legitimate 80/443 http traffic) traffic and legitimate DNS requests (through our cloud provider’s recursive name servers) to send and fetch data for Cyber Range users. This means Cyber Range users are able to surf the external web, download software, use webmail, Google Drive, and other such classwork related activities. However, they cannot typically execute actions such as external port scans, web DoS attacks, or attack web or DNS related services.


Safety Limits of Using DNS on the Cyber Range

When exploring DNS related security topics using the Range, the Range's recursive DNS server can do basic Internet facing DNS queries on your behalf. For example, using the nslookup, host, or dig commands to ask our network recursive DNS server to look up the DNS A record for www.example.com should work without issue:

$ host www.example.com
www.example.com has address 93.184.216.34

The query above works because your VM in the Range asks an internal 10.x or 169.x cloud DNS server to recursively go out on your behalf and get the answer. However, if you attempt to directly query an external DNS server like this:

$ host www.example.com 8.8.8.8
;; connection timed out; no servers could be reached

it will fail because the query above attempted to go outside the Range and query the Google nameserver (8.8.8.8) for an answer directly. This second form of DNS usage will always fail because non-proxied, outbound traffic (port 53 in this case) is simply not allowed out of the Range by design.

Simulating Enumeration and Brute Force DNS Queries

We do not recommend or condone enumerating or brute forcing (aggressively scanning) non-Range DNS names using our cloud provider’s DNS servers. Doing so might get your VM blocked, shutdown, or completely removed from our cloud account.

If you would like your students to do real-world-like DNS enumeration, attacks, recon, or scans, then please reach out to our Cyber Range Engineers about either setting you up a local DNS service (per student), or a container or VM that you and your students can safely attack and hack on. This will get you the best of both worlds: getting real world DNS recon/attack/defense experience, while also giving each student their own dedicated and resilient DNS service that won’t impact the other students in the class or your own lessons (or the Internet at large).


Summary

The Cyber Range keeps dangerous packets off the Internet just like a gun range keeps bullets from straying anywhere except toward range targets. This is the nature and function of a range: a safe place to do dangerous things, NOT a place to launch attacks from, or even enumerate real world systems.

However, if you do want to do something more "real world" and dangerous, please reach out to our support team, who can help you set up a lab configuration to suit your needs.

Have a Question? Contact Support

Note

Students: Please reach out to your Instructor who can submit a ticket to our Support Team on your behalf.

We're here to help you. If you still have questions after reviewing the information above, please feel free to submit a ticket with our Support Team and we'll get back to you as soon as possible.