Comments (11)
And the same at 508 string
from dnscan.
Hi @drakylar,
This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.
github.com
is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153
, 185.199.111.153
, 185.199.110.153
and 185.199.108.153
), but then has subdomains such as www.github.com
(140.82.121.3
) or api.github.com
(140.82.121.5
) with different IPs.
Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.
from dnscan.
Hi @drakylar,
This isn't actually a bug. The recursive scanning is intentionally run even when a wildcard is present, because a wildcard record doesn't meant that there are no other records for a domain. In fact, most domains that have wildcards will also have other records.
github.com
is a good example of this: it has a wildcard record that returns four IP addresses (185.199.109.153
,185.199.111.153
,185.199.110.153
and185.199.108.153
), but then has subdomains such aswww.github.com
(140.82.121.3
) orapi.github.com
(140.82.121.5
) with different IPs.Any records that return the same IP as the wildcard are ignored, and the only ones that are returned at those with different IP addresses. It's not perfect (as it won't pick up VHOSTS), but it's the best we can do at a pure DNS level.
Hello, yes, it's true. But I have several domains when this utility went into recursion and scanned up to 6th wildcard subdomain level. That was because of bad detection of wildcard ip-addresses. I will check later detection algorythm.
from dnscan.
@drakylar you can set the max recursion depth with -m
or --maxdepth
, which should stop it getting stuck for ever. Would that solve your issue?
from dnscan.
@drakylar you can set the max recursion depth with
-m
or--maxdepth
, which should stop it getting stuck for ever. Would that solve your issue?
Think this will help, but I wanted to minimize false-positive results.
from dnscan.
I'm not really clear what false positives you're seeing.
So if you scan example.org
, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org
that those are being returned? Are they returned as wildcards or actual records?
from dnscan.
I'm not really clear what false positives you're seeing.
So if you scan
example.org
, and it has a wildcard domain, that gets flagged. Is the issue that if it has recursive wildcards (*.*.example.org
that those are being returned? Are they returned as wildcards or actual records?
The issue was that if subdomain was wildcard (*.example.org) it returned non-existed domain a.example.org and started to scan wildcard subdomains *.a.example.org. So, I thought that there had been some problems with wildcard subdomains enumeration which leads to a lot of false-positive subdomains.
P.S. May be it will be better to add an option to ignore wildcard subdomains bruteforce?
from dnscan.
Ah, I understand where you're coming from. While I don't think it's technically incorrect to recursively scan a domain that we know has wildcards (as there's nothing stopping it also having default entries), this will be quite slow for domains that have a lot of them. I've added a --recurse-wildcards
option to enable that (it's not performed by default) - does that solve the issue?
from dnscan.
Thanks! Will check it later.
from dnscan.
One new problem - sometimes DNS server from NX can stuck with response, so it is needed to add to dns.query.udp
timeout parameter + I think it will be better to add several retries (line ~ 499).
dns.query.udp(request, nameserver, timeout=5)
from dnscan.
Two more suggestions
- Add availability to make TCP dns requests (cli argument) due to some strange NX-servers with stucked response.
- Add availability to select a dictionary for
-a
alterations argument.
from dnscan.
Related Issues (20)
- Input filtering for domain HOT 2
- ANSI colour control sequences show as garbage on Windows HOT 4
- Adding support for Module import HOT 1
- randomly missing some domains from provided list HOT 2
- Support list of target domains HOT 1
- FATAL: Module netaddr missing (python-netaddr or python3-netaddr) HOT 1
- Feature Request
- Bug: TypeError: argument of type 'NoneType' is not iterable HOT 1
- Resolver module issue HOT 3
- Don't add `noise` to the output file HOT 4
- Output full domain then IP to make sorting easier HOT 1
- Publish dnscan to PyPI
- Improved wildcard functionality HOT 1
- use dnscan error!!!
- Plaintext output HOT 1
- dnscan.py: error: one of the arguments HOT 2
- AttributeError: 'DNSKEY' object has no attribute 'signer' HOT 4
- Scan result difference and text output HOT 7
- found a bug HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnscan.