DNSanity 🎯

Quickly validate DNS servers at scale

_{Created by nil0x42 and contributors}

---

📖 Overview

DNSanity is a fast DNS resolvers validator, offering deep customization and reliable concurrency.

• Blazing-Fast: Test thousand servers in parallel with global & per-server rate-limiting.
• Flexible: Easily write your own template for custom validation.
• Reliable: Automatic template re-validation before every usage.

🔃 Workflow

1 – Template Validation
Run each template query against trusted DNS servers and ensure every answer matches the expected result.

2 – Server Validation
Run the same queries on every candidate server.
Reject any server that fails more checks than the allowed limit.

💡 Quick start

go install github.com/nil0x42/dnsanity@latest   # go 1.21+ needed
dnsanity --help                                 # show help
dnsanity -list "untrustedDNS.txt" -o "out.txt"  # basic usage

📇 Custom template

# <FQDN>             <EXPECTED-RESULT>                    <COMMENT>
cr.yp.to             A=131.193.32.108 A=131.193.32.109    # two specific A records
wiki.debian.org      A=* CNAME=wilder.debian.org.         # specific CNAME with any A record
dn05jq2u.fr          NXDOMAIN                             # invalid TLD: NXDOMAIN
invalid.com          SERVFAIL||NOERROR||TIMEOUT||FORMERR  # allow any of these answers
lists.isc.org        A=149.20.*                           # A record matching pattern
app-c0a801fb.nip.io  A=192.168.1.251                      # specific single A record
retro.localtest.me   A=127.0.0.1                          # specific single A record

DNSanity ships with a default template — each line states the expected DNS response for a domain.
Need different rules? Supply your own file with -template option.

🔍 Options

🏭 Under the Hood

DNSanity aims for maximum speed without sacrificing reliability or risking blacklisting. Here’s the core approach:

• Trusted Validation
  Before checking your untrusted servers, DNSanity verifies the template itself against trusted resolvers (e.g., 8.8.8.8, 1.1.1.1). This ensures your template is valid and consistent.
• Test-by-Test Concurrency
  For each untrusted server, DNSanity runs tests sequentially in an efficient pipeline. Once a server accumulates more mismatches than -max-mismatches (default 0), it’s dropped immediately, saving time & bandwidth.
• Per-Server Rate Limit
  Use -ratelimit so you don’t overload any single DNS server. This is especially helpful for fragile networks or for preventing blacklisting on public resolvers.
• Timeout & Retries
  If a query doesn’t reply within -timeout seconds, it fails. If -max-attempts is greater than 1, DNSanity can retry, up to the specified limit.

ℹ️ Additional Tips

• Craft a Thorough Template
  A varied template (involving A, CNAME, NXDOMAIN, and wildcard matches) quickly exposes shady or broken resolvers.
• Geo-Located Domains
  Beware that some domains (e.g., google.com) may return different IP addresses based on location. This might cause expected results to mismatch.
• Fine-tune template validation step -trusted-* flags allow fine-tuning specific limits for this step, which uses trusted server list (use --help for details)

⭐ Acknowledgments

• dnsvalidator – for the original concept of verifying DNS resolvers.
• dnsx – inspiration for a fast, multi-purpose DNS toolkit.
• miekg/dns – the Go library powering DNSanity queries under the hood.

---

Happy Recon & Hacking!