Initial commit

2026-04-08 04:22:00 +07:00 · 2026-04-08 04:22:00 +07:00 · b259d9ef18
commit b259d9ef18
17 changed files with 809 additions and 0 deletions
--- a/checker/checks.go
+++ b/checker/checks.go
@ -0,0 +1,164 @@
+package checker
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+// checkAXFR returns (ok bool, detail string).
+// ok=false means the server accepted the zone transfer (CRITICAL).
+func checkAXFR(ctx context.Context, domain, addr string) (bool, string) {
+	msg := new(dns.Msg)
+	msg.SetAxfr(dns.Fqdn(domain))
+
+	t := &dns.Transfer{}
+	t.DialTimeout = 5 * time.Second
+	t.ReadTimeout = 10 * time.Second
+
+	ch, err := t.In(msg, net.JoinHostPort(addr, "53"))
+	if err != nil {
+		return true, fmt.Sprintf("transfer refused: %s", err)
+	}
+
+	for env := range ch {
+		if env.Error != nil {
+			return true, fmt.Sprintf("transfer error: %s", env.Error)
+		}
+		for _, rr := range env.RR {
+			if rr.Header().Rrtype == dns.TypeSOA {
+				return false, "AXFR zone transfer accepted"
+			}
+		}
+	}
+
+	return true, "AXFR refused"
+}
+
+// checkIXFR returns (ok bool, detail string).
+// ok=false means the server answered with records (WARN).
+func checkIXFR(ctx context.Context, domain, addr string) (bool, string) {
+	msg := new(dns.Msg)
+	msg.SetIxfr(dns.Fqdn(domain), 0, "", "")
+
+	cl := &dns.Client{Net: "udp", Timeout: 5 * time.Second}
+	resp, _, err := cl.ExchangeContext(ctx, msg, net.JoinHostPort(addr, "53"))
+	if err != nil {
+		return true, fmt.Sprintf("query failed: %s", err)
+	}
+
+	if resp.Rcode != dns.RcodeSuccess {
+		return true, fmt.Sprintf("IXFR refused (rcode=%s)", dns.RcodeToString[resp.Rcode])
+	}
+	if len(resp.Answer) > 0 {
+		return false, fmt.Sprintf("IXFR accepted with %d answer(s)", len(resp.Answer))
+	}
+
+	return true, "IXFR refused or empty"
+}
+
+// checkNoRecursion returns (ok bool, detail string).
+// ok=false means the server offers recursion (WARN).
+func checkNoRecursion(ctx context.Context, domain, addr string) (bool, string) {
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(domain), dns.TypeSOA)
+	msg.RecursionDesired = true
+
+	cl := &dns.Client{Net: "udp", Timeout: 5 * time.Second}
+	resp, _, err := cl.ExchangeContext(ctx, msg, net.JoinHostPort(addr, "53"))
+	if err != nil {
+		return true, fmt.Sprintf("query failed: %s", err)
+	}
+
+	if resp.RecursionAvailable {
+		return false, "recursion available (RA bit set)"
+	}
+	return true, "recursion not available"
+}
+
+// checkANYHandled returns (ok bool, detail string).
+// ok=false means the server returned a full record set for ANY (WARN).
+// Per RFC 8482, servers should return HINFO or a minimal response.
+func checkANYHandled(ctx context.Context, domain, addr string) (bool, string) {
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(domain), dns.TypeANY)
+
+	cl := &dns.Client{Net: "udp", Timeout: 5 * time.Second}
+	resp, _, err := cl.ExchangeContext(ctx, msg, net.JoinHostPort(addr, "53"))
+	if err != nil {
+		return true, fmt.Sprintf("query failed: %s", err)
+	}
+
+	if resp.Rcode != dns.RcodeSuccess {
+		return true, fmt.Sprintf("ANY refused (rcode=%s)", dns.RcodeToString[resp.Rcode])
+	}
+
+	if len(resp.Answer) == 1 {
+		if _, ok := resp.Answer[0].(*dns.HINFO); ok {
+			return true, "RFC 8482 compliant HINFO response"
+		}
+	}
+
+	if len(resp.Answer) == 0 {
+		return true, "ANY returned empty answer"
+	}
+
+	return false, fmt.Sprintf("ANY returned %d records (not RFC 8482 compliant)", len(resp.Answer))
+}
+
+// checkIsAuthoritative returns (ok bool, detail string).
+// ok=false means the server is not authoritative for the zone (INFO).
+func checkIsAuthoritative(ctx context.Context, domain, addr string) (bool, string) {
+	msg := new(dns.Msg)
+	msg.SetQuestion(dns.Fqdn(domain), dns.TypeSOA)
+
+	cl := &dns.Client{Net: "udp", Timeout: 5 * time.Second}
+	resp, _, err := cl.ExchangeContext(ctx, msg, net.JoinHostPort(addr, "53"))
+	if err != nil {
+		return false, fmt.Sprintf("query failed: %s", err)
+	}
+
+	if resp.Authoritative {
+		return true, "server is authoritative (AA bit set)"
+	}
+	return false, "server is not authoritative (AA bit not set)"
+}
+
+// Stable check names. They are part of the JSON wire format of
+// NSRestrictionsReport and used by individual rules to look up their
+// corresponding entry, so they MUST NOT change without coordinating with
+// the rule definitions.
+const (
+	checkNameAXFR            = "AXFR refused"
+	checkNameIXFR            = "IXFR refused"
+	checkNameNoRecursion     = "No recursion"
+	checkNameANYHandled      = "ANY handled (RFC 8482)"
+	checkNameIsAuthoritative = "Is authoritative"
+)
+
+// checkServerAddr runs all NS security checks against a single IP address.
+func checkServerAddr(ctx context.Context, domain, nsHost, addr string) NSServerResult {
+	result := NSServerResult{Name: nsHost, Address: addr}
+
+	type checkDef struct {
+		name string
+		fn   func(context.Context, string, string) (bool, string)
+	}
+	checks := []checkDef{
+		{checkNameAXFR, checkAXFR},
+		{checkNameIXFR, checkIXFR},
+		{checkNameNoRecursion, checkNoRecursion},
+		{checkNameANYHandled, checkANYHandled},
+		{checkNameIsAuthoritative, checkIsAuthoritative},
+	}
+
+	for _, ch := range checks {
+		ok, detail := ch.fn(ctx, domain, addr)
+		result.Checks = append(result.Checks, NSCheckItem{Name: ch.name, OK: ok, Detail: detail})
+	}
+
+	return result
+}