god-eye/internal/modules/axfr/axfr.go

// Package axfr attempts DNS zone transfer (AXFR) against the target's
// authoritative name servers. It's the highest-signal free discovery
// technique — when it works, it returns the entire zone at once, exposing
// every record the admin considers internal-only.
//
// Modern DNS infrastructure rejects AXFR by default, but legacy deployments,
// misconfigured secondary servers, and corporate DNS still leak zones
// regularly in bug bounty scope.
package axfr

import (
	"context"
	"strings"
	"time"

	godns "github.com/miekg/dns"

	"god-eye/internal/eventbus"
	"god-eye/internal/module"
	"god-eye/internal/store"
)

const ModuleName = "discovery.axfr"

type axfrModule struct{}

func Register() { module.Register(&axfrModule{}) }

func (*axfrModule) Name() string                   { return ModuleName }
func (*axfrModule) Phase() module.Phase            { return module.PhaseDiscovery }
func (*axfrModule) Consumes() []eventbus.EventType { return nil }
func (*axfrModule) Produces() []eventbus.EventType {
	return []eventbus.EventType{eventbus.EventSubdomainDiscovered}
}
func (*axfrModule) DefaultEnabled() bool { return true }

func (*axfrModule) Run(mctx module.Context) error {
	target := strings.TrimSuffix(mctx.Target, ".")
	if target == "" {
		return nil
	}
	timeout := time.Duration(mctx.Config.Int("timeout", 5)) * time.Second

	nameservers, err := lookupNSServers(target, timeout)
	if err != nil || len(nameservers) == 0 {
		return nil
	}

	seen := make(map[string]struct{})
	for _, ns := range nameservers {
		if mctx.Ctx.Err() != nil {
			return nil
		}
		records := tryAXFR(target, ns, timeout)
		for _, sub := range records {
			sub = strings.ToLower(strings.TrimSuffix(sub, "."))
			if sub == "" || sub == target {
				continue
			}
			if !strings.HasSuffix(sub, "."+target) {
				continue
			}
			if _, dup := seen[sub]; dup {
				continue
			}
			seen[sub] = struct{}{}

			_ = mctx.Store.Upsert(mctx.Ctx, sub, func(h *store.Host) {
				store.AddDiscoveryMethod(h, "axfr:"+ns)
			})
			mctx.Bus.Publish(mctx.Ctx, eventbus.SubdomainDiscovered{
				EventMeta: eventbus.EventMeta{At: time.Now(), Source: ModuleName, Target: sub},
				Subdomain: sub,
				Method:    "axfr:" + ns,
			})
		}
	}
	return nil
}

// lookupNSServers returns the authoritative name servers for domain.
func lookupNSServers(domain string, timeout time.Duration) ([]string, error) {
	client := &godns.Client{Timeout: timeout}
	msg := new(godns.Msg)
	msg.SetQuestion(godns.Fqdn(domain), godns.TypeNS)
	// Ask a widely-available resolver.
	resp, _, err := client.Exchange(msg, "8.8.8.8:53")
	if err != nil {
		return nil, err
	}
	var out []string
	for _, a := range resp.Answer {
		if ns, ok := a.(*godns.NS); ok {
			out = append(out, strings.TrimSuffix(ns.Ns, "."))
		}
	}
	return out, nil
}

// tryAXFR performs an AXFR against nsHost for domain, returning every
// returned name (A, AAAA, CNAME). Returns an empty slice when AXFR is
// refused (the expected outcome on properly-configured DNS).
func tryAXFR(domain, nsHost string, timeout time.Duration) []string {
	tr := &godns.Transfer{DialTimeout: timeout, ReadTimeout: timeout, WriteTimeout: timeout}
	msg := new(godns.Msg)
	msg.SetAxfr(godns.Fqdn(domain))

	ch, err := tr.In(msg, nsHost+":53")
	if err != nil {
		return nil
	}

	var out []string
	for env := range ch {
		if env.Error != nil {
			return out
		}
		for _, rr := range env.RR {
			switch r := rr.(type) {
			case *godns.A:
				out = append(out, r.Hdr.Name)
			case *godns.AAAA:
				out = append(out, r.Hdr.Name)
			case *godns.CNAME:
				out = append(out, r.Hdr.Name)
			case *godns.NS:
				out = append(out, r.Hdr.Name)
			}
		}
	}
	return out
}

var _ = context.Canceled