search

d3mondev / puredns

Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.
GNU General Public License v3.0
1.73k stars 160 forks source link

Wildcard Domains with CNAME not filtered #14

Open proabiral opened 3 years ago

proabiral commented 3 years ago

Hello,

First of all, thank you for the awesome tool.

1) Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

2) if the answer contain part of dns query, such wildcard is not detected.

Example domain : algolia.net 

host -t CNAME FOOBAR.algolia.net
FOOBAR.algolia.net is an alias for up.FOOBAR.api.algolia.net.
d3mondev commented 3 years ago

Hello,

Thanks for reporting the first issue, it should be fixed in a future release. There is indeed a bug preventing the wildcard detection from kicking in when the domain doesn't have an A record.

For 2), this is very tricky. This is a edge case happening because the DNS server is returning a different answer for each query, effectively bypassing the wildcard filter. Trying to fix this in code could create other false positives or false negatives in other domains. Maybe there should be an option to ignore CNAME records that the user could specify on domains exhibiting this behavior but I'll have to give it more thought.

proabiral commented 3 years ago

Thank you for the response @d3mondev . Looking forward for the fix :)

nil0x42 commented 3 years ago

Hi ! I got the exact same problem as mentionned by @proabiral For algolia.net behavior, trying to find a pattern in the generated CNAME is indeed prone to false negatives or false positives. Instead, puredns could resolve the returned CNAME, and use this address(es) as "key"

In the case of algolia.net, it returns CNAMEs that don't resolve. so "empty" key should be taken into account.

Therefore, filtering-out wildcards that don't resolve would also impact ability to find potential subdomain takeovers, so if such feature is implemented, outputing CNAMEs to another file (e.g: --write-cnames option) could be useful.

d3mondev commented 3 years ago

I pushed an update (2.0.1) to resolve the first issue:

Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

I'll keep this issue open while the second issue is addressed.

Thanks!