puredns icon indicating copy to clipboard operation
puredns copied to clipboard

Published 20 hours ago verified publisher icon d3mondev

Wildcard Domains with CNAME not filtered

Open proabiral opened this issue 4 years ago • 4 comments

Hello,

First of all, thank you for the awesome tool.

  1. Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

  1. if the answer contain part of dns query, such wildcard is not detected.

Example domain : algolia.net

host -t CNAME FOOBAR.algolia.net
FOOBAR.algolia.net is an alias for up.FOOBAR.api.algolia.net.

proabiral avatar May 26 '21 16:05 proabiral

Hello,

Thanks for reporting the first issue, it should be fixed in a future release. There is indeed a bug preventing the wildcard detection from kicking in when the domain doesn't have an A record.

For 2), this is very tricky. This is a edge case happening because the DNS server is returning a different answer for each query, effectively bypassing the wildcard filter. Trying to fix this in code could create other false positives or false negatives in other domains. Maybe there should be an option to ignore CNAME records that the user could specify on domains exhibiting this behavior but I'll have to give it more thought.

d3mondev avatar May 26 '21 16:05 d3mondev

Thank you for the response @d3mondev . Looking forward for the fix :)

proabiral avatar Jun 02 '21 03:06 proabiral

Hi ! I got the exact same problem as mentionned by @proabiral For algolia.net behavior, trying to find a pattern in the generated CNAME is indeed prone to false negatives or false positives. Instead, puredns could resolve the returned CNAME, and use this address(es) as "key"

In the case of algolia.net, it returns CNAMEs that don't resolve. so "empty" key should be taken into account.

Therefore, filtering-out wildcards that don't resolve would also impact ability to find potential subdomain takeovers, so if such feature is implemented, outputing CNAMEs to another file (e.g: --write-cnames option) could be useful.

nil0x42 avatar Jun 22 '21 12:06 nil0x42

I pushed an update (2.0.1) to resolve the first issue:

Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

I'll keep this issue open while the second issue is addressed.

Thanks!

d3mondev avatar Jun 25 '21 07:06 d3mondev