Documentation
¶
Overview ¶
Package dnsaudit performs DNS-level security audit: SPF, DMARC, DKIM, DNSSEC, zone transfer, wildcard DNS, dangling NS records, and email security posture.
Reference implementations studied (algorithm only, no code copied):
- orbit-core internal/modules/dig.go (proprietary)
- dnstwist (Apache-2.0): https://github.com/elceef/dnstwist
- mailsec-check (MIT): https://github.com/bramstroker/homeassistant-powercalc
What is implemented:
- A, AAAA, CNAME, MX, NS, TXT, SOA record resolution (stdlib net.Resolver)
- SPF analysis: missing, permissive (+all), too many lookups (> 10)
- DMARC analysis: missing, p=none (no enforcement), missing rua/ruf
- DKIM discovery: queries common selectors (google, selector1, default, k1, etc.)
- DNSSEC: checks for DS/DNSKEY presence
- Zone transfer attempt (AXFR): detects misconfigured authoritative servers
- Wildcard DNS detection: queries random labels
- Dangling NS: NS records that don't resolve
- All checks via stdlib net.Resolver — zero binary dependency
- io.LimitReader on every body read (dicas.md §5)
- log/slog structured observability (dicas.md §16)
- errgroup.SetLimit bounded fan-out (guia-go §9)
- context propagation and cancellation (guia-go §9)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Module ¶
type Module struct {
// contains filtered or unexported fields
}
Module performs DNS security audit on a domain.
func NewWithResolver ¶
NewWithResolver creates a Module with a custom DNS resolver (useful for tests).
Click to show internal directories.
Click to hide internal directories.