dnsink/demo-queries.sh at main · kakarot-dev/dnsink · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash
# Rapid-fire DNS queries for TUI demo screenshot
# Mix of clean domains (allowed) and real malicious domains from feeds (blocked)

PORT=5353
HOST=127.0.0.1

# Clean domains — will show as ALLOWED (green)
CLEAN=(
  google.com
  youtube.com
  reddit.com
  stackoverflow.com
  github.com
  cloudflare.com
  amazon.com
  netflix.com
  twitter.com
  linkedin.com
  microsoft.com
  apple.com
  wikipedia.org
  rust-lang.org
  crates.io
  docs.rs
  mozilla.org
  fastly.com
  akamai.com
  nginx.com
  docker.com
  kubernetes.io
  grafana.com
  prometheus.io
  openai.com
  anthropic.com
  stripe.com
  twitch.tv
  discord.com
  slack.com
  figma.com
  vercel.com
  netlify.com
  aws.amazon.com
  cloud.google.com
  azure.microsoft.com
  npmjs.com
  pypi.org
  brew.sh
  archlinux.org
  ubuntu.com
  debian.org
  fedoraproject.org
  kernel.org
  torvalds.github.io
  news.ycombinator.com
  lobste.rs
  dev.to
  medium.com
  substack.com
)

# Real malicious domains from URLhaus/OpenPhish feeds + static blocklist
MALICIOUS=(
  triforgeix.chromeflack.in.net
  dyn-tidear.dockhype.in.net
  thifleet.dockhype.in.net
  gridfocus.cloudfloot.in.net
  zenmarken4.hostyard.in.net
  binscree.matchexact.in.net
  git33.matchexact.in.net
  patternprint.productter.in.net
  circuittraile.productter.in.net
  merlithex.tockentrue.in.net
  emberbroker.tockentrue.in.net
  gr0w-grid.paragonbloomera.in.net
  lumforgea.paragonbloomera.in.net
  capitalultra.quantumharbinger.in.net
  a-gwo.pages.dev
  a0coka3w.a5hsuper1or.ru
  a2-ghost-v3.columnasol.in.net
  abrababa.xyz
  a9350i8z.xyz
  aaa4b.com
  malware.example.com
  evil.example.com
  c2-relay.darkops.net
  payload-drop.malware-cdn.ru
  exfil-gateway.data-harvest.cn
  ransomware-drop.cryptolock.xyz
  botnet-controller.stormworm.cc
  trojan-callback.apt-group41.org
  dns-tunnel.covertchannel.top
  exploit-kit.angler-ek.net
)

QTYPES=(A AAAA MX TXT)

send_query() {
  local domain=$1
  local qtype=${QTYPES[$((RANDOM % ${#QTYPES[@]}))]}
  dig @$HOST -p $PORT $domain $qtype +short +timeout=1 +tries=1 &>/dev/null &
}

echo "Firing 150 queries at dnsink ($HOST:$PORT)..."
echo "Clean domains: ${#CLEAN[@]} | Malicious domains: ${#MALICIOUS[@]}"
echo ""

for i in $(seq 1 290); do
  # 60% clean, 40% malicious
  if (( RANDOM % 10 < 6 )); then
    domain=${CLEAN[$((RANDOM % ${#CLEAN[@]}))]}
  else
    domain=${MALICIOUS[$((RANDOM % ${#MALICIOUS[@]}))]}
  fi
  send_query "$domain"

  # Random delay 300-500ms to spread across 60s sparkline window
  sleep 0.$((RANDOM % 2 + 3))
done

# Final 10: scripted mix ending with red
echo "Final burst..."
send_query "github.com"
sleep 0.05
send_query "cloudflare.com"
sleep 0.05
send_query "malware.example.com"
sleep 0.05
send_query "rust-lang.org"
sleep 0.05
send_query "botnet-controller.stormworm.cc"
sleep 0.05
send_query "ransomware-drop.cryptolock.xyz"
sleep 0.05
send_query "google.com"
sleep 0.05
send_query "trojan-callback.apt-group41.org"
sleep 0.05
send_query "exploit-kit.angler-ek.net"
sleep 0.05
send_query "dns-tunnel.covertchannel.top"

wait
echo ""
echo "Done. 150 queries sent. Screenshot now."