Pierre-Olivier Mercier
9243551b58
Generic SRV records checker for happyDomain.
For each SRV record attached to an svcs.UnknownSRV service, the checker
resolves every target and probes reachability:
- DNS resolution (A/AAAA), CNAME detection (RFC 2782 violation),
null-target detection (RFC 2782 "service explicitly unavailable")
- TCP connect to target:port for _tcp SRVs
- UDP probe for _udp SRVs, using ICMP port-unreachable detection
The checker also publishes TLS endpoints (host, port, SNI) for every
SRV target hitting a well-known direct-TLS port (443, 465, 636, 853,
993, 995, 5061, 5223, …) via the EndpointDiscoverer SDK interface, so
a downstream TLS checker can pick them up.
The HTML report groups records as cards and surfaces the most common
failure scenarios (DNS failure, CNAME target, TCP unreachable,
null-target) at the top with remediation guidance.
67 lines
2.1 KiB
Go
67 lines
2.1 KiB
Go
package checker
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// directTLSServices enumerates SRV service names (the "service" part of
|
|
// _service._proto.domain) that by convention mean "direct TLS on connect",
|
|
// as opposed to STARTTLS or plaintext.
|
|
//
|
|
// Matching on the service name is more authoritative than matching on the
|
|
// port: port 636 could carry anything, but _ldaps._tcp unambiguously
|
|
// designates LDAP over TLS — even on a non-standard port. Conversely, a
|
|
// site may run HTTPS on a non-443 port and still want it probed.
|
|
//
|
|
// STARTTLS variants (_xmpp-client, _smtp, _submission, _imap, _pop3…) are
|
|
// intentionally excluded here; a dedicated endpoint type (e.g.
|
|
// "smtp-starttls") will be introduced when a TLS checker grows the
|
|
// capability to upgrade those protocols.
|
|
var directTLSServices = map[string]bool{
|
|
"https": true,
|
|
"ftps": true, // FTPS implicit
|
|
"smtps": true, // SMTP over TLS (legacy port 465 semantics)
|
|
"submissions": true, // RFC 8314: SMTP submission over TLS
|
|
"imaps": true,
|
|
"pop3s": true,
|
|
"nntps": true,
|
|
"ircs": true,
|
|
"telnets": true,
|
|
"ldaps": true,
|
|
"sips": true,
|
|
"ipps": true, // IPP over TLS (printing)
|
|
"xmpps-client": true, // XMPP client over direct TLS
|
|
"xmpps-server": true, // XMPP server-to-server over direct TLS
|
|
"mqtts": true,
|
|
"coaps": true,
|
|
"stuns": true,
|
|
"turns": true,
|
|
}
|
|
|
|
// DiscoverEndpoints is invoked right after Collect. It declares (host, port)
|
|
// pairs worth testing by other checkers — here: TLS endpoints whose SRV
|
|
// service name is a known direct-TLS protocol (see directTLSServices).
|
|
func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) {
|
|
d, ok := data.(*SRVData)
|
|
if !ok {
|
|
return nil, fmt.Errorf("unexpected data type %T", data)
|
|
}
|
|
var out []sdk.DiscoveredEndpoint
|
|
for _, r := range d.Records {
|
|
if r.IsNullTarget || r.Target == "" {
|
|
continue
|
|
}
|
|
if !directTLSServices[r.Service] {
|
|
continue
|
|
}
|
|
out = append(out, sdk.DiscoveredEndpoint{
|
|
Type: "tls",
|
|
Host: r.Target,
|
|
Port: r.Port,
|
|
SNI: r.Target,
|
|
})
|
|
}
|
|
return out, nil
|
|
}
|