Improved wildcard functionality
jamesbercegay opened this issue · 1 comments
I have noticed that when using dnscan with a DNS provider that redirects bad requests to a search page, the current approach doesn't always work to detect wildcard. For example, my ISP (CableOne) will fail and not redirect for a domain like 12345.twitter.com. But if I add an 'a' to the beginning (a12345.twitter.com) it works as expected and redirects, thus detecting the wildcard behavior. Otherwise, all non existent domains are redirected to the "failed DNS query search page" thus giving a ton of false positives.
# Use current unix time as a test subdomain
epochtime = 'a' + str(int(time.time()))
Changing the above code in the get_wildcard() method to include a prefixed alpha character worked for me.
That is extremely broken behaviour - I would recommend calling them out about why they're doing that. Or just using better DNS servers, given someone doing an hijack that incompetent is unlikely to listen to reason.
Either way, I've added an "a" prefix to the wildcard test domain, so that should work around this kind of behaviour.
~rbsec