search

zmap / zdns

Fast DNS Lookup Library and CLI Tool
Apache License 2.0
891 stars 121 forks source link

Enhanced Nameserver Input Validation #356

Closed developStorm closed 5 months ago

developStorm commented 5 months ago

The refactored code leverages the built-in net package to perform more rigorous validation of the input nameserver address. It enforces that the input address be a valid IP address, with or without a port.

Tests

// Valid IPv4 address without port
> echo "google.com,1.1.1.1" | go run . -- A
{...,"resolver":"1.1.1.1:53"},"name":"google.com","status":"NOERROR"...}

// Valid IPv4 address with port
> echo "google.com,8.8.8.8:53" | go run . -- A
{...,"resolver":"8.8.8.8:53"},"name":"google.com","status":"NOERROR"...}

// Valid IPv4 address with non-standard port
> echo "google.com,8.8.8.8:5353" | go run . -- A
{"data":{"protocol":"udp","resolver":"8.8.8.8:5353"},"name":"google.com","status":"TIMEOUT"}

// Invalid IP address with port
> echo "google.com,example.com:80" | go run . -- A
FATA[0000] Unable to parse nameserver: invalid IP address 
exit status 1

// Invalid IP address without port
> echo "google.com,example.com" | go run . -- A
FATA[0000] Unable to parse nameserver: invalid IP address 
exit status 1

// Invalid IPv6 address
> echo "google.com,2001:4860:4860:0:0:0:0:8888:53" | go run . -- A
FATA[0000] Unable to parse nameserver: invalid IP address 
exit status 1

// Valid IPv6 address without port
> echo "google.com,2001:4860:4860::8888" | go run . -- A
{"data":{"protocol":"udp","resolver":"[2001:4860:4860::8888]:53"},"error":"write udp [redacted]:51462-\u003e[2001:4860:4860::8888]:53: address 2001:4860:4860::8888: non-IPv4 address","name":"google.com","status":"ERROR"}

// Valid IPv6 address with non-standard port
> echo "google.com,[2001:4860:4860:0:0:0:0:8888]:5353" | go run . -- A
{"data":{"protocol":"udp","resolver":"[2001:4860:4860:0:0:0:0:8888]:5353"},"error":"write udp [redacted]:49824-\u003e[2001:4860:4860::8888]:5353: address 2001:4860:4860::8888: non-IPv4 address","name":"google.com","status":"ERROR"}

Tests that fail on main branch

// Invalid IP address with port
> echo "google.com,example.com:80" | go run . -- A
{"data":{"protocol":"udp","resolver":"example.com:80"},"name":"google.com","status":"TIMEOUT"}

// Invalid IP address without port
> echo "google.com,example.com" | go run . -- A
{"data":{"protocol":"udp","resolver":"example.com:53"},"name":"google.com","status":"REFUSED"}

resolves #284