Bypass Firewalls By Dns History

Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
Alternatives To Bypass Firewalls By Dns History
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
6 days ago570otherC++
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
Trivy19,5215815 hours ago205November 06, 2023219apache-2.0Go
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Gitleaks14,257254 days ago74November 17, 2023146mitGo
Protect and discover secrets using Gitleaks 🔑
Personal Security Checklist12,928
a day ago27other
🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2023
Trufflehog12,7996610 hours ago42April 28, 2021194agpl-3.0Go
Find and verify credentials
Zaproxy11,481344 days ago11October 12, 2023748apache-2.0Java
The ZAP core project
Rustscan11,19413 months ago18November 07, 2022128gpl-3.0Rust
🤖 The Modern Port Scanner 🤖
5 days ago162November 20, 202379gpl-3.0Go
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
Scapy9,553814202a day ago25December 25, 2022142gpl-2.0Python
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
6 days ago1August 14, 2018241otherPython
Daemon to ban hosts that cause multiple authentication errors
Alternatives To Bypass Firewalls By Dns History
Select To Compare

Alternative Project Comparisons

Bypass firewalls by abusing DNS history

Tool overview

This script will try to find:

  • the direct IP address of a server behind a firewall like Cloudflare, Incapsula, SUCURI ...
  • an old server which still running the same (inactive and unmaintained) website, not receiving active traffic because the A DNS record is not pointing towards it. Because it's an outdated and unmaintained website version of the current active one, it is likely vulnerable for various exploits. It might be easier to find SQL injections and access the database of the old website and abuse this information to use on the current and active website.

This script (ab)uses DNS history records. This script will search for old DNS A records and check if the server replies for that domain. It also outputs a confidence level, based on the similarity in HTML response of the possible origin server and the firewall.

The script also fetches the IP's of subdomains because my own experience learned me that subdomain IP's sometimes point to the origin of the main domain.


Use the script like this:

bash -d

  • -d --domain: domain to bypass
  • -o --outputfile: output file with IP's
  • -l --listsubdomains: list with subdomains for extra coverage
  • -a --checkall: Check all subdomains for a WAF bypass

Requirements (optional)

jq is needed to parse output to gather automatically subdomains. Install with apt install jq.

Background information

WAF Bypass explanation

To illustrate what we define as WAF bypass, look at the scheme below.

Scheme WAF Bypass

A normal visitor connects to a Website. The initial request is a DNS request to ask the IP of the website, so the browser of the client knows where to send the HTTP request to. For sites behind cloudflare or some other public WAF, the reply contains an IP address of the WAF itself. Your HTTP traffic flows basically through the WAF to the origin web server. The WAF blocks malicious requests and protects against (D)DoS attacks. However, if an attacker knows the IP of the origin webserver and the origin webserver accepts HTTP traffic from the entire internet, the attacker can perform a WAF bypass: let the HTTP traffic go directly to the origin webserver instead of passing through the WAF.

This script tries to find that origin IP, so you can connect directly to the origin webserver. Attacks like SQL injections or SSRF's are not filtered and can be successfully, in contrary when there is a WAF in between which stops these kind of attacks.

Further exploitation

When you find a bypass, you have two options:

  • Edit your host-file, which is a system-wide solution. You can find your host-file at /etc/hosts(Linux/Mac) or c:\Windows\System32\Drivers\etc\hosts (Windows). Add an entry like this:
  • Burp Suite: Burp Suite Settings

From this moment, your HTTP traffic goes directly to the origin webserver. You can perform a penetration test as usual, without your requests being blocked by the WAF.

How to protect against this script?

  • If you use a firewall, make sure to accept only traffic coming through the firewall. Deny all traffic coming directly from the internet. For example: Cloudflare has a list of IP's which you can whitelist with iptables or UFW. Deny all other traffic.
  • Make sure that no old servers are still accepting connections and not accessible in the first place

For who is this script?

This script is handy for:

  • Security auditors
  • Web administrators
  • Bug bounty hunters
  • Blackhatters I guess \_()_/

Web services used in this script

The following services are used:


Why in Bash and not in Python?

It started out as a few CURL one-liners, became a bash script, extended the code more and more, and the regret of not using Python extended accordingly.

I find more subdomains with my tools?

I know. I cannot expect everyone to install all these DNS brute-force and enumeration tools. In addition, I don't know beforehand in which folder these tools are placed or under which alias these tools are called. You can still provide your own list with -l so you can feed output of these subdomain tools into this tool. Expected input is a full subdomain on each line.


Project Creator

Vincent Cox


WAF bypass
Web Application Firewall bypass
DNS History
find direct/origin IP website

Popular Security Projects
Popular Security Tools Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Tools
Network Security