summaryrefslogtreecommitdiffstats
path: root/scripts/dns-recursion.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/dns-recursion.nse')
-rw-r--r--scripts/dns-recursion.nse58
1 files changed, 58 insertions, 0 deletions
diff --git a/scripts/dns-recursion.nse b/scripts/dns-recursion.nse
new file mode 100644
index 0000000..d1ea1b6
--- /dev/null
+++ b/scripts/dns-recursion.nse
@@ -0,0 +1,58 @@
+local comm = require "comm"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local string = require "string"
+
+description = [[
+Checks if a DNS server allows queries for third-party names. It is
+expected that recursion will be enabled on your own internal
+nameservers.
+]]
+
+---
+-- @usage
+-- nmap -sU -p 53 --script=dns-recursion <target>
+-- @output
+-- PORT STATE SERVICE REASON
+-- 53/udp open domain udp-response
+-- |_dns-recursion: Recursion appears to be enabled
+
+author = "Felix Groebert"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "safe"}
+
+
+portrule = shortport.portnumber(53, "udp")
+
+action = function(host, port)
+
+ -- generate dns query
+ local request = "\xde\xad" -- Transaction-ID 0xdead
+ .. "\x01\x00" -- flags (recursion desired)
+ .. "\x00\x01" -- 1 question
+ .. "\x00\x00" -- 0 answers
+ .. "\x00\x00" -- 0 authority
+ .. "\x00\x00" -- 0 additional
+ .. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org.
+ .. "\x00\x01" -- type A
+ .. "\x00\x01" -- class IN
+
+ local status, result = comm.exchange(host, port, request, {proto="udp"})
+
+ if not status then
+ return
+ end
+
+ nmap.set_port_state(host, port, "open")
+
+ -- parse response for dns flags
+ if (string.byte(result,3) & 0x80) == 0x80
+ and (string.byte(result,4) & 0x85) == 0x80
+ then
+ return "Recursion appears to be enabled"
+ end
+
+ return
+end