happyDomain/checker-ns-restrictions
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
10 commits 1 branch 1 tag 87 KiB
  • Go 97.5%
  • Makefile 1.4%
  • Dockerfile 1.1%
Find a file
Exact
Pierre-Olivier Mercier 0510c0c08d Include rules in README
2026-04-29 22:54:34 +07:00
checker checker: split monolithic rule into per-concern rules 2026-04-26 19:48:40 +07:00
plugin checker: split monolithic rule into per-concern rules 2026-04-26 19:48:40 +07:00
.gitignore Initial commit 2026-04-23 17:01:07 +07:00
Dockerfile docker: add HEALTHCHECK probing /health 2026-04-26 19:48:40 +07:00
go.mod docker: add HEALTHCHECK probing /health 2026-04-26 19:48:40 +07:00
go.sum docker: add HEALTHCHECK probing /health 2026-04-26 19:48:40 +07:00
LICENSE Initial commit 2026-04-23 17:01:07 +07:00
main.go Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
Makefile Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
NOTICE Initial commit 2026-04-23 17:01:07 +07:00
README.md Include rules in README 2026-04-29 22:54:34 +07:00

README.md

checker-ns-restrictions

Authoritative nameserver security restrictions checker for happyDomain.

For each nameserver of an abstract.Origin or abstract.NSOnlyOrigin service, this checker resolves each NS host then runs a set of DNS probes against every returned IPv4/IPv6 address. IPv6 targets are skipped gracefully if the host has no IPv6 connectivity. See Rules below for the full list of checks performed.

Usage

Standalone HTTP server

make
./checker-ns-restrictions -listen :8080

The server exposes the standard happyDomain external checker protocol (/health, /collect, /evaluate, /definition).

Docker

make docker
docker run -p 8080:8080 happydomain/checker-ns-restrictions

happyDomain plugin

make plugin
# produces checker-ns-restrictions.so, loadable by happyDomain as a Go plugin

The plugin exposes a NewCheckerPlugin symbol returning the checker definition and observation provider, which happyDomain registers in its global registries at load time.

Deployment

The /collect endpoint has no built-in authentication and will issue DNS queries (including AXFR/IXFR/ANY zone-transfer attempts) to whatever addresses the supplied NS hostnames resolve to. A caller that controls the input domain can publish NS records pointing at arbitrary IPs, including private/internal ranges (RFC 1918, loopback, link-local) or unrelated third-party hosts, and use this checker as an SSRF / probing relay against them. It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet.

Versioning

The binary, plugin, and Docker image embed a version string overridable at build time:

make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3

Rules

Each rule emits one CheckState per probed nameserver address, carrying a stable code so downstream consumers can match on them deterministically.

Rule Description Severity on failure
ns_resolution Verifies that every NS host name declared in the delegation resolves to at least one IP address. CRITICAL
ns_axfr_refused Verifies that AXFR zone transfers are refused by every authoritative nameserver. CRITICAL
ns_ixfr_refused Verifies that IXFR zone transfers are refused by every authoritative nameserver. WARNING
ns_no_recursion Verifies that authoritative nameservers do not advertise recursion (RA bit unset). WARNING
ns_any_handled Verifies that ANY queries are handled per RFC 8482 (HINFO or minimal answer). WARNING
ns_is_authoritative Verifies that nameservers answer authoritatively (AA bit set) for the zone. INFO

License

MIT (see LICENSE). Third-party attributions in NOTICE.