Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"No CNAME record found for:" warning is misleading? #9

Open
cherdt opened this issue Oct 8, 2024 · 10 comments
Open

"No CNAME record found for:" warning is misleading? #9

cherdt opened this issue Oct 8, 2024 · 10 comments

Comments

@cherdt
Copy link

cherdt commented Oct 8, 2024

When running subsnipe I get a number of warnings like the following:

WARN[0105] No CNAME record found for: subdomain.example.com.

However, there is a CNAME record for that subdomain, e.g.:

subdomain.example.com.              3600    IN      CNAME   subdomain-ha.example.com.

I haven't dug into the logic, but I assume the message indicates that the CNAME record is part of the same domain, and therefore presumably not vulnerable. I just thought it an unusual warning for a case where a CNAME record exists.
@dub-flow
Copy link
Owner

Hey @cherdt, thanks for reporting this! Do you have a concrete example where SubSnipe says that no CNAME exists but one actually does exist? That feels very odd to me.

@cherdt
Copy link
Author

cherdt commented Oct 15, 2024

I think I'm seeing the issue, the CNAME record exists but points to a FQDN that does not exist. This result makes sense, but I was misinterpreting the results/the message was not necessarily what I was expecting.

Here's a concrete example:

##################################
#                                #
#           SubSnipe             #
#                                #
#       By dub-flow with ❤️       #
#                                #
##################################

Current version: 0.2.1

INFO[0000] Output will be written to: output.md
INFO[0000] RUNNING_ENVIRONMENT is not set, thus we assume the tool is run directly via 'go run .'
INFO[0000] Fingerprints are already up to date
INFO[0000] Checking subdomains for:
INFO[0000] Number of subdomains to check: 2
INFO[0000] Querying CNAME records for subdomains...
WARN[0000] No CNAME record found for:
WARN[0000] No CNAME record found for: subsnipe.osric.org.
INFO[0000] Results have been written to output.md

dig shows a CNAME exists:


; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> subsnipe.osric.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65518
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;subsnipe.osric.org.            IN      A

;; ANSWER SECTION:
subsnipe.osric.org.     284     IN      CNAME   subsnipe.osric.org.cloudflare.com.

;; AUTHORITY SECTION:
cloudflare.com.         284     IN      SOA     ns3.cloudflare.com. dns.cloudflare.com. 2354474710 10000 2400 604800 300

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Oct 15 16:20:07 CDT 2024
;; MSG SIZE  rcvd: 138

but the CNAME value does not exist:


; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> subsnipe.osric.org.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23505
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;subsnipe.osric.org.cloudflare.com. IN  A

;; AUTHORITY SECTION:
cloudflare.com.         102     IN      SOA     ns3.cloudflare.com. dns.cloudflare.com. 2354474710 10000 2400 604800 300

;; Query time: 9 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Oct 15 16:23:09 CDT 2024
;; MSG SIZE  rcvd: 106

@dub-flow
Copy link
Owner

Thanks for providing the extra information! I have some other things in the backlog but I will check it out when I have a moment and come back to you.

@dub-flow
Copy link
Owner

Uhm I just ran a quick test and it finds the CNAME on my machine 🤔

image

@cherdt
Copy link
Author

cherdt commented Oct 21, 2024

I just pulled the latest updates, I'm still getting different results:

$ go run . -s osorg
##################################
#                                #
#           SubSnipe             #
#                                #
#       By dub-flow with ❤️       #
#                                #
##################################

Current version: 0.3.0

INFO[0000] Output will be written to: output.md
INFO[0000] RUNNING_ENVIRONMENT is not set, thus we assume the tool is run directly via 'go run .'
INFO[0000] Fingerprints are already up to date
INFO[0000] Checking subdomains for:
INFO[0000] Number of subdomains to check: 2
INFO[0000] Querying CNAME records for subdomains...
INFO[0000] No CNAME record found for:
INFO[0000] No CNAME record found for: subsnipe.osric.org
INFO[0000] Results have been written to output.md

It's also interesting to me that there it indicates there are 2 subdomains to check. There is only one subdomain in the input file:

subsnipe.osric.org.

(I've tried both with and without the terminal dot.)

I'm running the test on an Ubuntu VM:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.5 LTS
Release:        22.04
Codename:       jammy

Go version is 1.18.1:

$ go version
go version go1.18.1 linux/amd64

@dub-flow
Copy link
Owner

dub-flow commented Oct 23, 2024
edited
Loading

Hi @cherdt, I spent some time investigating:

So the bug with the "2 subdomains" was that I didn't handle new lines in the subdomains file properly in some cases. This is fixed now.

For the "CNAME not found" issue: The tool works properly for 'subsnipe.osric.org' when running it inside of a Ubuntu VM for me. It also works within a Ubuntu docker container. However, I was able to replicate the behavior you are experiencing from within the Ubuntu subsystem in Windows.

Is that how you run the tool?

@cherdt
Copy link
Author

cherdt commented Oct 23, 2024 via email

@dub-flow
Copy link
Owner

I think I figured out the reason for the problem, and it's this: https://stackoverflow.com/questions/56856075/how-can-i-get-the-cname-of-a-host-for-which-dns-resolution-fails-nxdomain-in-g

It looks like the standard Go DNS library (which I'm using) returns an error if no A record exists, and then doesn't resolve the CNAME. And as we can see with dig, there is no A record here:

image

Now the weird part is: Why does it work on Mac, Linux, etc., but only not on Ubuntu on Windows? It also works on Kali on Windows, and Mint on Windows... but not Ubuntu 😄

@dub-flow
Copy link
Owner

Will probably check out other DNS libraries and see if that works better.

@dub-flow
Copy link
Owner

@cherdt could you please check out this pull request (#10) and see if it resolves the issue?

To do this, navigate into the folder of the git repo and run:

  1. git remote add upstream https://github.com/dub-flow/subsnipe.git
  2. git fetch upstream pull/10/head:pr-10
  3. git checkout pr-10
  4. go get github.com/miekg/dns - This is necessary because the go.mod hasn't been updated in the PR yet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cherdt @dub-flow