Skip to content

2.0

Latest
Latest

Choose a tag to compare

View all tags
@liquidsec liquidsec released this 20 Mar 19:17
· 62 commits to main since this release
2.0.452
a5bb78f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

BadDNS 2.0 Changelog

New Modules

  • DMARC — Detect missing or misconfigured DMARC records, with RFC 7489 two-step subdomain lookup
  • MTA-STS — Detect MTA-STS subdomain takeovers and misconfigurations
  • WILDCARD — Detect wildcard DNS records enabling domain-wide subdomain takeover
  • SPF — SPF policy checks, takeover detection, and subdomain fallback; skips cloud provider targets via cloudcheck

New Features

  • Negative signature system — Suppress false positives from known non-vulnerable providers (Cloudflare, Route53, Akamai, Imperva/Incapsula, Bodis, Microsoft Lync/Skype,
    Demandware/Salesforce Commerce Cloud)
  • --min-confidence and --min-severity CLI filters — Filter findings by confidence and severity thresholds
  • not_cnames exclusion in CNAME module — Skip known-safe CNAME patterns (synced with upstream nuclei templates)
  • Finding name property — Proper display names for findings (replaces N/A signatures with descriptive module names)
  • Severity/confidence alignment with BBOT 3.0 — INFORMATIONAL severity replaced with INFO
  • JSON output support

New Signatures

  • Fastly, Hashnode, Discourse, SendPulse, Lovable
  • Updated Azure signature (removed retired services, added web.core.windows.net)
  • Fixed/rewritten signatures: SurveyGizmo, Launchrock, Pantheon, redirect.pizza, AWS S3 bucket
  • Removed 3 invalid signatures
  • Automated SignatureBot updates: Mailgun, Tave, Launchrock, SurveyGizmo

Bug Fixes

  • Fix DMARC false positives on subdomains (RFC 7489 two-step lookup)
  • Fix NSEC zone walking false positives caused by CNAME following
  • Fix false positives in registration-based detection for restricted TLDs and self-referential SPF includes
  • Filter SRV-style subdomains (_sip._tcp.*, etc.) to prevent false positives
  • Fix unhandled LifetimeTimeout in CNAME chain following
  • Fix nested omit_types handling in NS module
  • Fix analyzeWHOIS returning None instead of empty list
  • Fix unhandled part: cname in matcher and signature generation
  • Skip DNS targets with labels exceeding 63-octet RFC 1035 limit

Performance

  • Speed up references module with WHOIS caching and concurrent domain processing

Developer / Infrastructure

  • Python 3.10–3.14 matrix testing
  • Migrated linting from black/flake8 to ruff
  • Replaced mock with unittest.mock for Python 3.14 compatibility
  • Achieved 100% test coverage across all modules
  • Updated documentation for v2.0
Assets 2
Loading