DNS Certificate Checker is a tool designed to scan all TLS enabled services under a given DNS zone. By sourcing information from A and CNAME records directly from authoritative Data Stores (only BIND DNS servers at this time), it can check a given IP address for all hostnames that it should serve, according to information sourced from the DNS server(s).
- python >= 3.7
- See requirements.txt
python3 -m pip install -r requirements.txt
Once a valid configuration file present at config.json
(see config.json.example
for inspiration), the next step is to get exports of the DNS zones to be scanned. If the same host will be used to fetch zone transfers and scan for TLS services, dns_cert_checker.py
can be invoked on its own. Else, if a separate host is used for exporting DNS zone transfers, fetch_zone_transfers.py
should be invoked on the approved host, and the resulting JSON file should be supplied to the execution of dns_cert_checker.py
via the --from-zones-json
argument.
If using a bind Zone Data Source, this program will request zone transfers for each provided zone for the configured name server. The host running this program must have its IP address approved to request zone transfers from all configured nameservers. This privilege should not be taken lightly. Although zone transfers are extremely useful in this context, they're also a fantastic resource for any attackers that can communicate with the DNS server. Be vigilant in your DNS server configuration, and keep a lean list of hosts approved to request zone transfers.
Other Zone Data Sources may carry other considerations, such as credential management for cloud-based DNS services.
If you'd rather not fetch DNS zone contents at run-time, the accompanying script fetch_zone_transfers.py
can be used to generate a JSON listing of zone records, readable by DNS Certificate Checker with the --from-zones-json
command-line argument.
Wildcard DNS records are not conclusively evaluated, as they can provide an infinite number of certificates, depending on the host's configuration. At this time, DNS Certificate Checker simply checks against the *
subdomain of a given wildcard record. Note that this will be fine if the wildcard target simply serves a wildcard certificate for the (sub)domain.
short name | long name | help text |
---|---|---|
-o |
--output_csv |
If set, output a CSV of all detected certificate warnings/errors that were discovered |
N/A | --from-zones-json |
If set, load zone information from the provided JSON file instead of requesting zone transfers from zone data sources at runtime |
short name | long name | help text |
---|---|---|
-o |
--output_file |
If set, output the resulting JSON to a file, rather than /dev/stdout |
A sample configuration file is present at config.json.example
.
key name | value definition | value type | value default |
---|---|---|---|
log_level |
The level to use in the logger's call to setLevel |
int | 30 (logging.WARNING) |
ssl_ports |
A list of ports to check when scanning hosts | List[int] | [443] |
min_time_to_expiration |
The minimum number of seconds of certificate validity to not consider it close to expiration | int | 2592000 (30 days) |
zone_data_sources |
A dict of Zone Data Sources, with keys being human-readable identifiers (not parsed by the program), and the values being Zone Data Source configurations | Dict[str, Dict] | N/A |
lookup_nameservers |
If specified, a list of nameservers to use, rather than the operating system's default configuration | Optional[List[str]] | N/A |
Documentation on SSLyze can be found here: https://nabla-c0d3.github.io/sslyze/documentation/
Parameter Name | Default Value |
---|---|
per_server_concurrent_connections_limit |
5 |
concurrent_server_scans_limit |
10 |
ServerConnectivityTesters take in a ServerNetworkLocation (including hostname, port, and ip), and optionally a ServerNetworkConfiguration.
The latter value allows for fine-grained control over how the connectivity tester will connect to the server. The program does not currently supply a value for ServerNetworkConfiguration.