DNSanity
Created by
nil0x42 and
contributors
Overview
DNSanity is a fast DNS resolvers validator, offering deep customization and reliable concurrency.
- Blazing-Fast: Test thousand servers in parallel with global & per-server rate-limiting.
- Flexible: Easily write your own template for custom validation.
- Reliable: Automatic template re-validation before every usage.
Workflow
1 - Template Validation
Run each template query against trusted DNS servers and ensure every answer matches the expected result.
2 - Server Validation
Run the same queries on every candidate server.
Reject any server that fails more checks than the allowed limit.
Quick start
go install github.com/nil0x42/dnsanity@latest # go 1.21+ needed
dnsanity --help # show help
dnsanity -list "untrustedDNS.txt" -o "out.txt" # basic usage
dnsanity --help # show help
dnsanity -list "untrustedDNS.txt" -o "out.txt" # basic usage
Custom template
#
cr.yp.to A=131.193.32.108 A=131.193.32.109 # two specific A records
wiki.debian.org A=* CNAME=wilder.debian.org. # specific CNAME with any A record
dn05jq2u.fr NXDOMAIN # invalid TLD: NXDOMAIN
invalid.com SERVFAIL||NOERROR||TIMEOUT||FORMERR # allow any of these answers
lists.isc.org A=149.20.* # A record matching pattern
app-c0a801fb.nip.io A=192.168.1.251 # specific single A record
retro.localtest.me A=127.0.0.1 # specific single A record
cr.yp.to A=131.193.32.108 A=131.193.32.109 # two specific A records
wiki.debian.org A=* CNAME=wilder.debian.org. # specific CNAME with any A record
dn05jq2u.fr NXDOMAIN # invalid TLD: NXDOMAIN
invalid.com SERVFAIL||NOERROR||TIMEOUT||FORMERR # allow any of these answers
lists.isc.org A=149.20.* # A record matching pattern
app-c0a801fb.nip.io A=192.168.1.251 # specific single A record
retro.localtest.me A=127.0.0.1 # specific single A record
DNSanity ships with a default template -- each line states the expected DNS response for a domain.
Need different rules? Supply your own file with -template option.
Options
Under the Hood
DNSanity aims for maximum speed without sacrificing reliability or risking blacklisting. Here's the core approach:
- Trusted Validation
Before checking your untrusted servers, DNSanity verifies the template itself against trusted resolvers (e.g.,8.8.8.8,1.1.1.1). This ensures your template is valid and consistent. - Test-by-Test Concurrency
For each untrusted server, DNSanity runs tests sequentially in an efficient pipeline. Once a server accumulates more mismatches than-max-mismatches(default 0), it's dropped immediately, saving time & bandwidth. - Per-Server Rate Limit
Use-ratelimitso you don't overload any single DNS server. This is especially helpful for fragile networks or for preventing blacklisting on public resolvers. - Timeout & Retries
If a query doesn't reply within-timeoutseconds, it fails. If-max-attemptsis greater than 1, DNSanity can retry, up to the specified limit.
i Additional Tips
- Craft a Thorough Template
A varied template (involving A, CNAME, NXDOMAIN, and wildcard matches) quickly exposes shady or broken resolvers. - Geo-Located Domains
Beware that some domains (e.g., google.com) may return different IP addresses based on location. This might cause expected results to mismatch. - Fine-tune template validation step
-trusted-*flags allow fine-tuning specific limits for this step, which uses trusted server list (use--helpfor details)
Acknowledgments
- dnsvalidator - for the original concept of verifying DNS resolvers.
- dnsx - inspiration for a fast, multi-purpose DNS toolkit.
- miekg/dns v2 - the Go library powering DNSanity queries under the hood.
Happy Recon & Hacking!