search

projectdiscovery / shuffledns

MassDNS wrapper written in go to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard filtering and easy input-output support.
https://projectdiscovery.io
GNU General Public License v3.0
1.3k stars 185 forks source link

Wildcard identification against CNAME #48

Closed Phasip closed 3 years ago

Phasip commented 3 years ago

When a wildcard domains returns a CNAME then shuffledns seems to pass it on even with -strict-wildcard

root@ip-172-31-36-39:~# echo "hello.catchall.sn1.se" | docker run --rm -i phasip/shuffledns -strict-wildcard -silent
hello.catchall.sn1.se
dig hello.catchall.sn1.se @8.8.8.8

; <<>> DiG 9.16.1-Ubuntu <<>> hello.catchall.sn1.se @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44996
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hello.catchall.sn1.se.     IN  A

;; ANSWER SECTION:
hello.catchall.sn1.se.  599 IN  CNAME   localhost.sn1.se.
localhost.sn1.se.   599 IN  A   127.0.0.1

;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 16 08:14:11 UTC 2020
;; MSG SIZE  rcvd: 90

Is there some way for me to avoid this behaviour?

Phasip commented 3 years ago

I fail, apparently the -d parameter is needed for the wildcard enumeration - which is clear from the output. Maybe an exception when adding -strict-wildcard without -d would have helped me - but who knows...