Created
April 2, 2019 12:42
-
-
Save jvgutierrez/d4248ae96967a94655d349f2abd41d91 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import yaml | |
import dns.resolver | |
VALID_NS = ('ns0.wikimedia.org.', 'ns1.wikimedia.org.', 'ns2.wikimedia.org.') | |
VALID_CAA_RECORDS = ( | |
'0 issue "globalsign.com', | |
'0 issue "digicert.com', | |
'0 issue "letsencrypt.org', | |
'0 iodef "mailto:dns-admin@wikimedia.org', | |
) | |
def main(): | |
with open('/tmp/snis.yaml') as f: | |
data = f.read() | |
snis = yaml.safe_load(data) | |
print('[*] checking {} SNIs'.format(len(snis))) | |
unique_snis = set() | |
for sni in snis: | |
unique_snis.add(sni.strip('*.')) | |
print('[*] checking {} unique SNIs'.format(len(unique_snis))) | |
for sni in unique_snis: | |
print('[*] checking {}'.format(sni)) | |
invalid_ns = False | |
try: | |
answers = dns.resolver.query(sni, 'NS') | |
for rrset in answers.rrset: | |
ns_server = rrset.to_text().strip('"') | |
if ns_server not in VALID_NS: | |
invalid_ns = True | |
print('[!] unexpected ns server {} found in {}'.format(ns_server, sni)) | |
except: | |
print('[!] unable to fetch NS servers for {}'.format(sni)) | |
if invalid_ns: | |
continue | |
try: | |
answers = dns.resolver.query(sni, 'CAA') | |
for rrset in answers.rrset: | |
caa_record = rrset.to_text().strip('"') | |
if caa_record not in VALID_CAA_RECORDS: | |
print('[!] invalid CAA record {} found in {}'.format(caa_record, sni)) | |
except: | |
print('[!] unable to fetch CAA records for {}'.format(sni)) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment