happyDomain/checker-ns-restrictions
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
8 commits 1 branch 1 tag 87 KiB
  • Go 97.5%
  • Makefile 1.4%
  • Dockerfile 1.1%
Find a file
Pierre-Olivier Mercier e8b38fac59 checker: split monolithic rule into per-concern rules
2026-04-26 19:48:40 +07:00
checker checker: split monolithic rule into per-concern rules 2026-04-26 19:48:40 +07:00
plugin checker: split monolithic rule into per-concern rules 2026-04-26 19:48:40 +07:00
.gitignore Initial commit 2026-04-23 17:01:07 +07:00
Dockerfile Run container as non-root user 2026-04-26 10:20:10 +07:00
go.mod Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
go.sum Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
LICENSE Initial commit 2026-04-23 17:01:07 +07:00
main.go Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
Makefile Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 10:20:07 +07:00
NOTICE Initial commit 2026-04-23 17:01:07 +07:00
README.md checker: split monolithic rule into per-concern rules 2026-04-26 19:48:40 +07:00

README.md

checker-ns-restrictions

Authoritative nameserver security restrictions checker for happyDomain.

For each nameserver of an abstract.Origin or abstract.NSOnlyOrigin service, this checker verifies common security misconfigurations:

Check Severity on failure
AXFR zone transfer refused CRITICAL
IXFR zone transfer refused WARNING
Recursion not available (RA) WARNING
ANY query handling (RFC 8482) WARNING
Authoritative answer (AA bit) INFO

The checker resolves each NS host, then runs the five DNS probes against every returned IPv4/IPv6 address. IPv6 targets are skipped gracefully if the host has no IPv6 connectivity.

Usage

Standalone HTTP server

make
./checker-ns-restrictions -listen :8080

The server exposes the standard happyDomain external checker protocol (/health, /collect, /evaluate, /definition).

Docker

make docker
docker run -p 8080:8080 happydomain/checker-ns-restrictions

happyDomain plugin

make plugin
# produces checker-ns-restrictions.so, loadable by happyDomain as a Go plugin

The plugin exposes a NewCheckerPlugin symbol returning the checker definition and observation provider, which happyDomain registers in its global registries at load time.

Deployment

The /collect endpoint has no built-in authentication and will issue DNS queries (including AXFR/IXFR/ANY zone-transfer attempts) to whatever addresses the supplied NS hostnames resolve to. A caller that controls the input domain can publish NS records pointing at arbitrary IPs, including private/internal ranges (RFC 1918, loopback, link-local) or unrelated third-party hosts, and use this checker as an SSRF / probing relay against them. It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet.

Versioning

The binary, plugin, and Docker image embed a version string overridable at build time:

make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3

License

This project does not depend on the happyDomain core repository: the few host types it needs (ServiceMessage, abstract.Origin, abstract.NSOnlyOrigin) are mirrored as minimal local copies of their JSON wire shapes. It only depends on checker-sdk-go (Apache 2.0) and miekg/dns (BSD 3-Clause).