From 1991fbc32251f8fead542e1e76c84de547961997 Mon Sep 17 00:00:00 2001 From: 5amu Date: Wed, 6 Jul 2022 10:44:06 +0200 Subject: [PATCH] DNS amplification check (ANY queries) implemented --- internal/check.go | 1 + internal/common/constants.go | 9 +++- internal/dnschecks/anyquery.go | 76 ++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+), 2 deletions(-) diff --git a/internal/check.go b/internal/check.go index fbf6e83..9677a7e 100644 --- a/internal/check.go +++ b/internal/check.go @@ -16,4 +16,5 @@ type Check interface { var CheckList = []Check{ new(dnschecks.SOACheck), new(dnschecks.GLUECheck), + new(dnschecks.ANYCheck), } diff --git a/internal/common/constants.go b/internal/common/constants.go index 7634775..e615e8f 100644 --- a/internal/common/constants.go +++ b/internal/common/constants.go @@ -1,4 +1,9 @@ package common -const DNSHunterVersion = "0.1" -const DefaultNameserver = "8.8.8.8" +const ( + DNSHunterVersion = "0.1" + DefaultNameserver = "8.8.8.8" + // DNSAmplificationThreshold is an arbitrary number that the programmer + // considered to be enough for "response considerably larger than request" + DNSAmplificationThreshold = 5 +) diff --git a/internal/dnschecks/anyquery.go b/internal/dnschecks/anyquery.go index 8c220d7..71fbd60 100644 --- a/internal/dnschecks/anyquery.go +++ b/internal/dnschecks/anyquery.go @@ -1 +1,77 @@ package dnschecks + +import ( + "fmt" + "net" + + "github.com/5amu/dnshunter/internal/common" + "github.com/5amu/dnshunter/internal/output" + "github.com/miekg/dns" +) + +type ANYCheck struct { + client *dns.Client + output *output.CheckOutput +} + +func (c *ANYCheck) Init(client *dns.Client) error { + c.client = client + return nil +} + +func (c *ANYCheck) Start(domain string, nameservers *common.Nameservers) error { + + m := new(dns.Msg) + m.SetQuestion(dns.Fqdn(domain), dns.TypeANY) + m.RecursionDesired = true + + var isVuln bool + var message string + + message += "\nAnswering to ANY queries might get the nameserver to suffer from\n" + message += "DNS Amplification Attacks, basically ddos attacks based on the fact\n" + message += "that the answer given by the DNS is much larger that the request\n" + message += "made by the host. More information on the severity here:\n" + message += "https://www.cisa.gov/uscert/ncas/alerts/TA13-088A\n\n" + + for _, ns := range nameservers.IPs { + + fqdn, err := nameservers.IPv4ToFQDN(ns.String()) + if err != nil { + return err + } + + r, _, err := c.client.Exchange(m, net.JoinHostPort(ns.String(), "53")) + if err != nil { + return err + } + + if r.Rcode != dns.RcodeSuccess { + return fmt.Errorf("invalid answer from %v after A query for %v", fqdn, domain) + } + + if len(r.Answer) > common.DNSAmplificationThreshold { + isVuln = true + } + + if isVuln { + message += common.Warn(fmt.Sprintf("nameserver %v is vulnerable to DNS amplification\n", fqdn)) + } else { + message += fmt.Sprintf("nameserver %v isn't vulnerable to DNS amplification\n", fqdn) + } + } + + c.output = &output.CheckOutput{ + Name: "DNS amplification", + Domain: domain, + Nameservers: nameservers.ToFQDNs(), + Vulnerable: isVuln, + Message: message, + } + + return nil +} + +func (c *ANYCheck) Results() *output.CheckOutput { + return c.output +}