happyDomain/checker-ns-restrictions
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
nemunaire 2026-04-08 04:22:00 +07:00
commit b259d9ef18
17 changed files with 809 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

68
README.md Normal file
View file

@ -0,0 +1,68 @@
# checker-ns-restrictions
Authoritative nameserver security restrictions checker for [happyDomain](https://www.happydomain.org/).
For each nameserver of an `abstract.Origin` or `abstract.NSOnlyOrigin`
service, this checker verifies common security misconfigurations:
| Check | Severity on failure |
|--------------------------------|---------------------|
| AXFR zone transfer refused | CRITICAL |
| IXFR zone transfer refused | WARNING |
| Recursion not available (RA) | WARNING |
| ANY query handling (RFC 8482) | WARNING |
| Authoritative answer (AA bit) | INFO |
The checker resolves each NS host, then runs the five DNS probes against
every returned IPv4/IPv6 address. IPv6 targets are skipped gracefully if
the host has no IPv6 connectivity.
## Usage
### Standalone HTTP server
```bash
make
./checker-ns-restrictions -listen :8080
```
The server exposes the standard happyDomain external checker protocol
(`/health`, `/collect`, `/evaluate`, `/definition`).
### Docker
```bash
make docker
docker run -p 8080:8080 happydomain/checker-ns-restrictions
```
### happyDomain plugin
```bash
make plugin
# produces checker-ns-restrictions.so, loadable by happyDomain as a Go plugin
```
The plugin exposes a `NewCheckerPlugin` symbol returning the checker
definition and observation provider, which happyDomain registers in its
global registries at load time.
### Versioning
The binary, plugin, and Docker image embed a version string overridable
at build time:
```bash
make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3
```
## License
This project does **not** depend on the happyDomain core repository: the
few host types it needs (`ServiceMessage`, `abstract.Origin`,
`abstract.NSOnlyOrigin`) are mirrored as minimal local copies of their
JSON wire shapes. It only depends on
[`checker-sdk-go`](https://git.happydns.org/checker-sdk-go) (Apache 2.0)
and [`miekg/dns`](https://github.com/miekg/dns) (BSD 3-Clause).