|
| 1 | +# CLAUDE.md |
| 2 | + |
| 3 | +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
| 4 | + |
| 5 | +## Project Overview |
| 6 | + |
| 7 | +BadDNS is a Python tool for detecting subdomain takeovers and DNS issues (dangling CNAME/NS/MX records, NSEC walks, zone transfers, HTML reference hijacking, DMARC misconfigurations, MTA-STS issues, wildcard DNS takeovers). It's also used as a BBOT module. |
| 8 | + |
| 9 | +## Common Commands |
| 10 | + |
| 11 | +### Install dependencies |
| 12 | +```bash |
| 13 | +pip install poetry |
| 14 | +poetry install |
| 15 | +``` |
| 16 | + |
| 17 | +### Run all tests |
| 18 | +```bash |
| 19 | +poetry run pytest --exitfirst --disable-warnings --log-cli-level=DEBUG |
| 20 | +``` |
| 21 | + |
| 22 | +### Run a single test file |
| 23 | +```bash |
| 24 | +poetry run pytest tests/cname_test.py -v |
| 25 | +``` |
| 26 | + |
| 27 | +### Run a single test |
| 28 | +```bash |
| 29 | +poetry run pytest tests/cname_test.py::test_cname_function_name -v |
| 30 | +``` |
| 31 | + |
| 32 | +### Lint |
| 33 | +```bash |
| 34 | +ruff format --check . |
| 35 | +ruff check . |
| 36 | +``` |
| 37 | + |
| 38 | +### Format code |
| 39 | +```bash |
| 40 | +ruff format . |
| 41 | +``` |
| 42 | + |
| 43 | +### Run the CLI |
| 44 | +```bash |
| 45 | +poetry run baddns example.com |
| 46 | +poetry run baddns -m CNAME,NS example.com # specific modules |
| 47 | +poetry run baddns -d example.com # debug mode |
| 48 | +poetry run baddns --direct example.com # direct mode (CNAME only) |
| 49 | +``` |
| 50 | + |
| 51 | +## Architecture |
| 52 | + |
| 53 | +### Module System |
| 54 | + |
| 55 | +All detection logic lives in `baddns/modules/`. Each module is a class inheriting from `BadDNS_base` (defined in `baddns/base.py`). Modules are auto-discovered and dynamically imported by `baddns/__init__.py` — just drop a new `.py` file in `modules/` and it's available. |
| 56 | + |
| 57 | +The 10 modules: **CNAME** (dangling CNAMEs), **NS** (dangling nameservers), **MX** (dangling mail exchangers), **NSEC** (NSEC walking for subdomain enumeration), **TXT** (hijackable domains in TXT records), **references** (hijackable domains in HTML/headers), **zonetransfer** (AXFR vulnerability), **DMARC** (missing/misconfigured DMARC records), **MTA-STS** (MTA-STS misconfigurations and dangling mta-sts subdomains), **WILDCARD** (wildcard DNS records enabling domain-wide takeover). |
| 58 | + |
| 59 | +### Signature-Driven Detection |
| 60 | + |
| 61 | +Signatures are YAML files in `baddns/signatures/` (~100 files). Each signature defines a service name, detection mode (`http`, `dns_nxdomain`, `dns_nosoa`), identifier patterns (cnames, IPs, nameservers), and HTTP matcher rules. The `Signature` class (`baddns/lib/signature.py`) loads them, and `Matcher` (`baddns/lib/matcher.py`) evaluates HTTP responses against matcher rules. |
| 62 | + |
| 63 | +### Core Libraries (`baddns/lib/`) |
| 64 | + |
| 65 | +- **DNSManager** (`dnsmanager.py`) — async DNS resolution with retry, CNAME chain following, multi-record-type dispatch |
| 66 | +- **HttpManager** (`httpmanager.py`) — fires 4 async HTTP requests per target (http/https × follow/deny redirects) |
| 67 | +- **WhoisManager** (`whoismanager.py`) — async WHOIS lookups, checks domain registration/expiration |
| 68 | +- **DnsWalk** (`dnswalk.py`) — recursive nameserver tracing from root servers, used by NS module |
| 69 | +- **Finding** (`findings.py`) — structured output with confidence levels (CONFIRMED/PROBABLE/POSSIBLE/UNLIKELY) |
| 70 | + |
| 71 | +### Execution Flow |
| 72 | + |
| 73 | +CLI (`baddns/cli.py`) → validates args → loads signatures → instantiates selected modules → calls each module's async `dispatch()` → collects `Finding` objects → outputs JSON. |
| 74 | + |
| 75 | +## Testing |
| 76 | + |
| 77 | +Tests are in `tests/` and heavily mock DNS/HTTP/WHOIS. Key test infrastructure: |
| 78 | + |
| 79 | +- `tests/conftest.py` — shared fixtures (`mock_dispatch_whois`, `cached_suffix_list`, `configure_mock_resolver`) |
| 80 | +- `tests/helpers.py` — `MockResolver`, `MockDNSWalk`, `DnsWalkHarness` for DNS mocking |
| 81 | +- Tests use `pytest-asyncio` for async, `pytest-httpx` for HTTP mocking, `pyfakefs` for filesystem mocking |
| 82 | + |
| 83 | +## Versioning |
| 84 | + |
| 85 | +Version is tracked in **two places** in `pyproject.toml`: |
| 86 | +- `tool.poetry.version` (e.g., `"2.0.0"`) |
| 87 | +- `tool.poetry-dynamic-versioning.format` (e.g., `'2.0.{distance}'`) |
| 88 | + |
| 89 | +Both must be updated together for releases. Publishing to PyPI happens automatically on push to `main` when the major.minor version changes. |
| 90 | + |
| 91 | +## Git Workflow |
| 92 | + |
| 93 | +- `main` branch — stable releases, auto-publishes to PyPI |
| 94 | +- `dev` branch — active development, PRs target here |
| 95 | +- Do not add "Co-Authored-By" lines to commit messages |
0 commit comments