fluidasserts.proto.dns module

This module allows to check vulnerabilities in DNS systems.

fluidasserts.proto.dns.can_amplify(nameserver, domain='google.com.')

Check if nameserver allows amplification attacks.

Parameters

nameserver (str) – IPv4 or 6 to test.

Return type

tuple

fluidasserts.proto.dns.has_cache_poison(domain, nameserver)

Check if cache poisoning is possible.

The check is made by looking DNSSEC records.

Parameters

  • domain (str) – Name of the zone to transfer.

  • nameserver (str) – IPv4 or 6 to test.

Return type

tuple

fluidasserts.proto.dns.has_cache_snooping(nameserver, domain='google.com.')

Check if nameserver has cache snooping.

(supports non recursive queries) :type nameserver: str :param nameserver: IPv4 or 6 to test.

Return type

tuple

fluidasserts.proto.dns.has_recursion(nameserver, domain='google.com.')

Check if nameserver has recursion enabled.

Parameters

nameserver (str) – IPv4 or 6 to test.

Return type

tuple

fluidasserts.proto.dns.has_subdomain_takeover(domain, nameserver, attacker_controlled_domains)

Check if DNS records point to an attacker controlled site.

Check is done recursively starting from domain and all the A, AAAA, and CNAME records found down the road.

See Tutorial.

Parameters

  • domain (str) – IPv4, IPv6, or domain to test.

  • attacker_controlled_domains (typing.List[str]) – A list of domains to expect as vulnerable.

Return type

fluidasserts.Result

fluidasserts.proto.dns.is_dynupdate_enabled(domain, nameserver)

Check if zone updating is enabled.

Parameters

  • domain (str) – Name of the zone to transfer.

  • nameserver (str) – IPv4 or 6 to test.

Return type

tuple

fluidasserts.proto.dns.is_xfr_enabled(domain, nameserver)

Check if zone transfer is enabled.

Parameters

  • domain (str) – Name of the zone to transfer.

  • nameserver (str) – IPv4 or 6 to test.

Return type

tuple