Initial commit
Generic SRV records checker for happyDomain.
For each SRV record attached to an svcs.UnknownSRV service, the checker
resolves every target and probes reachability:
- DNS resolution (A/AAAA), CNAME detection (RFC 2782 violation),
null-target detection (RFC 2782 "service explicitly unavailable")
- TCP connect to target:port for _tcp SRVs
- UDP probe for _udp SRVs, using ICMP port-unreachable detection
The checker also publishes TLS endpoints (host, port, SNI) for every
SRV target hitting a well-known direct-TLS port (443, 465, 636, 853,
993, 995, 5061, 5223, …) via the EndpointDiscoverer SDK interface, so
a downstream TLS checker can pick them up.
The HTML report groups records as cards and surfaces the most common
failure scenarios (DNS failure, CNAME target, TCP unreachable,
null-target) at the top with remediation guidance.
This commit is contained in:
commit
9243551b58
15 changed files with 1362 additions and 0 deletions
67
checker/discover.go
Normal file
67
checker/discover.go
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
package checker
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
sdk "git.happydns.org/checker-sdk-go/checker"
|
||||
)
|
||||
|
||||
// directTLSServices enumerates SRV service names (the "service" part of
|
||||
// _service._proto.domain) that by convention mean "direct TLS on connect",
|
||||
// as opposed to STARTTLS or plaintext.
|
||||
//
|
||||
// Matching on the service name is more authoritative than matching on the
|
||||
// port: port 636 could carry anything, but _ldaps._tcp unambiguously
|
||||
// designates LDAP over TLS — even on a non-standard port. Conversely, a
|
||||
// site may run HTTPS on a non-443 port and still want it probed.
|
||||
//
|
||||
// STARTTLS variants (_xmpp-client, _smtp, _submission, _imap, _pop3…) are
|
||||
// intentionally excluded here; a dedicated endpoint type (e.g.
|
||||
// "smtp-starttls") will be introduced when a TLS checker grows the
|
||||
// capability to upgrade those protocols.
|
||||
var directTLSServices = map[string]bool{
|
||||
"https": true,
|
||||
"ftps": true, // FTPS implicit
|
||||
"smtps": true, // SMTP over TLS (legacy port 465 semantics)
|
||||
"submissions": true, // RFC 8314: SMTP submission over TLS
|
||||
"imaps": true,
|
||||
"pop3s": true,
|
||||
"nntps": true,
|
||||
"ircs": true,
|
||||
"telnets": true,
|
||||
"ldaps": true,
|
||||
"sips": true,
|
||||
"ipps": true, // IPP over TLS (printing)
|
||||
"xmpps-client": true, // XMPP client over direct TLS
|
||||
"xmpps-server": true, // XMPP server-to-server over direct TLS
|
||||
"mqtts": true,
|
||||
"coaps": true,
|
||||
"stuns": true,
|
||||
"turns": true,
|
||||
}
|
||||
|
||||
// DiscoverEndpoints is invoked right after Collect. It declares (host, port)
|
||||
// pairs worth testing by other checkers — here: TLS endpoints whose SRV
|
||||
// service name is a known direct-TLS protocol (see directTLSServices).
|
||||
func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) {
|
||||
d, ok := data.(*SRVData)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("unexpected data type %T", data)
|
||||
}
|
||||
var out []sdk.DiscoveredEndpoint
|
||||
for _, r := range d.Records {
|
||||
if r.IsNullTarget || r.Target == "" {
|
||||
continue
|
||||
}
|
||||
if !directTLSServices[r.Service] {
|
||||
continue
|
||||
}
|
||||
out = append(out, sdk.DiscoveredEndpoint{
|
||||
Type: "tls",
|
||||
Host: r.Target,
|
||||
Port: r.Port,
|
||||
SNI: r.Target,
|
||||
})
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue