Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard Domains with CNAME not filtered #14

Open
proabiral opened this issue May 26, 2021 · 4 comments
Open

Wildcard Domains with CNAME not filtered #14

proabiral opened this issue May 26, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@proabiral
Copy link

Hello,

First of all, thank you for the awesome tool.

  1. Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

  1. if the answer contain part of dns query, such wildcard is not detected.

Example domain : algolia.net

host -t CNAME FOOBAR.algolia.net
FOOBAR.algolia.net is an alias for up.FOOBAR.api.algolia.net.
@d3mondev
Copy link
Owner

Hello,

Thanks for reporting the first issue, it should be fixed in a future release. There is indeed a bug preventing the wildcard detection from kicking in when the domain doesn't have an A record.

For 2), this is very tricky. This is a edge case happening because the DNS server is returning a different answer for each query, effectively bypassing the wildcard filter. Trying to fix this in code could create other false positives or false negatives in other domains. Maybe there should be an option to ignore CNAME records that the user could specify on domains exhibiting this behavior but I'll have to give it more thought.

@d3mondev d3mondev added the bug Something isn't working label May 26, 2021
@proabiral
Copy link
Author

Thank you for the response @d3mondev . Looking forward for the fix :)

@nil0x42
Copy link

nil0x42 commented Jun 22, 2021

Hi ! I got the exact same problem as mentionned by @proabiral
For algolia.net behavior, trying to find a pattern in the generated CNAME is indeed prone to false negatives or false positives.
Instead, puredns could resolve the returned CNAME, and use this address(es) as "key"

In the case of algolia.net, it returns CNAMEs that don't resolve. so "empty" key should be taken into account.

Therefore, filtering-out wildcards that don't resolve would also impact ability to find potential subdomain takeovers, so if such feature is implemented, outputing CNAMEs to another file (e.g: --write-cnames option) could be useful.

@d3mondev
Copy link
Owner

I pushed an update (2.0.1) to resolve the first issue:

Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

I'll keep this issue open while the second issue is addressed.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nil0x42 @proabiral @d3mondev