Add DNS Trace for DNS Templates

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.

https://docs.projectdiscovery.io/tools/nuclei

MIT License

20.75k stars 2.52k forks source link

Add DNS Trace for DNS Templates #419

Closed m0chan closed 2 years ago

m0chan commented 3 years ago

Is your feature request related to a problem? Please describe.

Currently for DNS templates we can only 'match' on terms when a domain is not in an error state, for example if it's in SERVFAIL we cannot see the authoritative name-servers it fails on.

Describe the solution you'd like

-trace flag - This would allow nuclei to walk the whole DNS tree and match on any user supplied term it encounters.

Hmu on twitter if you need me to explain in greater depth. m0chan98

indianajson commented 3 years ago

I would like to second this request. There is a group of vulnerabilities relating to DNS that cannot be identified with Nuclei directly because of this limitation. While getting a SERVFAIL back from Nuclei is nice, that leaves a lot of manual work for researchers investigating DNS misconfigurations. Adding +trace would allow that work to be automated into a nice workflow + template.

Mzack9999 commented 3 years ago

This should be covered in https://github.com/projectdiscovery/nuclei/pull/641 (still in development), the internal scripting engine has access to dnsx methods (including trace)

ehsandeep commented 3 years ago

@indianajson @m0chan this is now supported at the template level in the dev branch, trace: true will perform DNS tracing for the requested domain similar to dig +trace

dns:
  - name: "{{FQDN}}"
    type: A
    class: inet
    recursion: true
    retries: 3
    trace: true
    trace-max-recursion: 10