2 KiB
checker-ns-restrictions
Authoritative nameserver security restrictions checker for happyDomain.
For each nameserver of an abstract.Origin or abstract.NSOnlyOrigin
service, this checker verifies common security misconfigurations:
| Check | Severity on failure |
|---|---|
| AXFR zone transfer refused | CRITICAL |
| IXFR zone transfer refused | WARNING |
| Recursion not available (RA) | WARNING |
| ANY query handling (RFC 8482) | WARNING |
| Authoritative answer (AA bit) | INFO |
The checker resolves each NS host, then runs the five DNS probes against every returned IPv4/IPv6 address. IPv6 targets are skipped gracefully if the host has no IPv6 connectivity.
Usage
Standalone HTTP server
make
./checker-ns-restrictions -listen :8080
The server exposes the standard happyDomain external checker protocol
(/health, /collect, /evaluate, /definition).
Docker
make docker
docker run -p 8080:8080 happydomain/checker-ns-restrictions
happyDomain plugin
make plugin
# produces checker-ns-restrictions.so, loadable by happyDomain as a Go plugin
The plugin exposes a NewCheckerPlugin symbol returning the checker
definition and observation provider, which happyDomain registers in its
global registries at load time.
Versioning
The binary, plugin, and Docker image embed a version string overridable at build time:
make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3
License
This project does not depend on the happyDomain core repository: the
few host types it needs (ServiceMessage, abstract.Origin,
abstract.NSOnlyOrigin) are mirrored as minimal local copies of their
JSON wire shapes. It only depends on
checker-sdk-go (Apache 2.0)
and miekg/dns (BSD 3-Clause).