External/nuclei
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-17 19:05:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
nuclei/docs/template-guide/dns.mdx
sandeep 46143dfb82 docs migration
2023-08-18 02:43:28 +05:30

113 lines
3.1 KiB
Plaintext
Raw Blame History

---
title: "DNS"
---
## DNS Requests
DNS protocol can be modelled in nuclei with ease. Fully Customizable DNS requests can be sent by nuclei to nameservers and matching/extracting can be performed on their response.
DNS Requests start with a **dns** block which specifies the start of the requests for the template.
```yaml
# Start the requests for the template right here
dns:
```
### Type
First thing in the request is **type**. Request type can be **A**, **NS**, **CNAME**, **SOA**, **PTR**, **MX**, **TXT**, **AAAA**.
```yaml
# type is the type for the dns request
type: A
```
### Name
The next part of the requests is the DNS **name** to resolve. Dynamic variables can be placed in the path to modify its value on runtime. Variables start with `{{` and end with `}}` and are case-sensitive.
1. **FQDN** - variable is replaced by the hostname/FQDN of the target on runtime.
An example name value:
```yaml
name: {{FQDN}}.com
# This value will be replaced on execution with the FQDN.
# If FQDN is https://this.is.an.example then the
# name will get replaced to the following: this.is.an.example.com
```
As of now the tool supports only one name per request.
### Class
Class type can be **INET**, **CSNET**, **CHAOS**, **HESIOD**, **NONE** and **ANY**. Usually it's enough to just leave it as **INET**.
```yaml
# method is the class for the dns request
class: inet
```
### Recursion
Recursion is a boolean value, and determines if the resolver should only return cached results, or traverse the whole dns root tree to retrieve fresh results. Generally it's better to leave it as **true**.
```yaml
# Recursion is a boolean determining if the request is recursive
recursion: true
```
### Retries
Retries is the number of attempts a dns query is retried before giving up among different resolvers. It's recommended a reasonable value, like **3**.
```yaml
# Retries is a number of retries before giving up on dns resolution
retries: 3
```
### Matchers / Extractor Parts
Valid `part` values supported by **DNS** protocol for Matchers / Extractor are -
| Value | Description |
|------------------|-----------------------------|
| request | DNS Request |
| rcode | DNS Rcode |
| question | DNS Question Message |
| extra | DNS Message Extra Field |
| answer | DNS Message Answer Field |
| ns | DNS Message Authority Field |
| raw / all / body | Raw DNS Message |
### **Example DNS Template**
The final example template file for performing `A` query, and check if CNAME and A records are in the response is as follows:
```yaml
id: dummy-cname-a
info:
name: Dummy A dns request
author: mzack9999
severity: none
description: Checks if CNAME and A record is returned.
dns:
- name: "{{FQDN}}"
type: A
class: inet
recursion: true
retries: 3
matchers:
- type: word
words:
# The response must contain a CNAME record
- "IN\tCNAME"
# and also at least 1 A record
- "IN\tA"
condition: and
```
More complete examples are provided [here](/template-example/dns)
Reference in New Issue View Git Blame Copy Permalink