"No CNAME record found for:" warning is misleading?

[cherdt]

When running subsnipe I get a number of warnings like the following:

WARN[0105] No CNAME record found for: subdomain.example.com.

However, there is a CNAME record for that subdomain, e.g.:

subdomain.example.com.              3600    IN      CNAME   subdomain-ha.example.com.

I haven't dug into the logic, but I assume the message indicates that the CNAME record is part of the same domain, and therefore presumably not vulnerable. I just thought it an unusual warning for a case where a CNAME record exists.

[dub-flow]

Hey @cherdt, thanks for reporting this! Do you have a concrete example where SubSnipe says that no CNAME exists but one actually does exist? That feels very odd to me.

[cherdt]

I think I'm seeing the issue, the CNAME record exists but points to a FQDN that does not exist. This result makes sense, but I was misinterpreting the results/the message was not necessarily what I was expecting.

Here's a concrete example:

##################################
#                                #
#           SubSnipe             #
#                                #
#       By dub-flow with ❤️       #
#                                #
##################################

Current version: 0.2.1

INFO[0000] Output will be written to: output.md
INFO[0000] RUNNING_ENVIRONMENT is not set, thus we assume the tool is run directly via 'go run .'
INFO[0000] Fingerprints are already up to date
INFO[0000] Checking subdomains for:
INFO[0000] Number of subdomains to check: 2
INFO[0000] Querying CNAME records for subdomains...
WARN[0000] No CNAME record found for:
WARN[0000] No CNAME record found for: subsnipe.osric.org.
INFO[0000] Results have been written to output.md

dig shows a CNAME exists:

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> subsnipe.osric.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65518
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;subsnipe.osric.org.            IN      A

;; ANSWER SECTION:
subsnipe.osric.org.     284     IN      CNAME   subsnipe.osric.org.cloudflare.com.

;; AUTHORITY SECTION:
cloudflare.com.         284     IN      SOA     ns3.cloudflare.com. dns.cloudflare.com. 2354474710 10000 2400 604800 300

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Oct 15 16:20:07 CDT 2024
;; MSG SIZE  rcvd: 138

but the CNAME value does not exist:

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> subsnipe.osric.org.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23505
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;subsnipe.osric.org.cloudflare.com. IN  A

;; AUTHORITY SECTION:
cloudflare.com.         102     IN      SOA     ns3.cloudflare.com. dns.cloudflare.com. 2354474710 10000 2400 604800 300

;; Query time: 9 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Oct 15 16:23:09 CDT 2024
;; MSG SIZE  rcvd: 106

[dub-flow]

Thanks for providing the extra information! I have some other things in the backlog but I will check it out when I have a moment and come back to you.

[dub-flow]

Uhm I just ran a quick test and it finds the CNAME on my machine 🤔

[cherdt]

I just pulled the latest updates, I'm still getting different results:

$ go run . -s osorg
##################################
#                                #
#           SubSnipe             #
#                                #
#       By dub-flow with ❤️       #
#                                #
##################################

Current version: 0.3.0

INFO[0000] Output will be written to: output.md
INFO[0000] RUNNING_ENVIRONMENT is not set, thus we assume the tool is run directly via 'go run .'
INFO[0000] Fingerprints are already up to date
INFO[0000] Checking subdomains for:
INFO[0000] Number of subdomains to check: 2
INFO[0000] Querying CNAME records for subdomains...
INFO[0000] No CNAME record found for:
INFO[0000] No CNAME record found for: subsnipe.osric.org
INFO[0000] Results have been written to output.md

It's also interesting to me that there it indicates there are 2 subdomains to check. There is only one subdomain in the input file:

subsnipe.osric.org.

(I've tried both with and without the terminal dot.)

I'm running the test on an Ubuntu VM:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.5 LTS
Release:        22.04
Codename:       jammy

Go version is 1.18.1:

$ go version
go version go1.18.1 linux/amd64

[dub-flow]

Hi @cherdt, I spent some time investigating:

So the bug with the "2 subdomains" was that I didn't handle new lines in the subdomains file properly in some cases. This is fixed now.

For the "CNAME not found" issue: The tool works properly for 'subsnipe.osric.org' when running it inside of a Ubuntu VM for me. It also works within a Ubuntu docker container. However, I was able to replicate the behavior you are experiencing from within the Ubuntu subsystem in Windows.

Is that how you run the tool?

[cherdt]

I'm not running it through WSL, but I am running on a Windows machine (via VirtualBox).

…

On Wed, Oct 23, 2024, 8:51 AM Florian Walter ***@***.***> wrote: Hi @cherdt <https://github.com/cherdt>, I spent some time investigating: So the bug with the "2 subdomains" was that I didn't handle new lines in the subdomains file properly in some cases. This is fixed now. For the "CNAME not found" issue: The tool works properly for ' subsnipe.osric.org' when running it inside of a Ubuntu VM for me. It also works within a Ubuntu docker container. However, I was able to replicate the behavior you are experiencing from within the Ubuntu subsystem in Windows. Is that how you run the tool? — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAC5MBC2HG2N3HQ42ZIUGVTZ46SWNAVCNFSM6AAAAABPTFM73WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZSGI3TKMRSGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[dub-flow]

I think I figured out the reason for the problem, and it's this: https://stackoverflow.com/questions/56856075/how-can-i-get-the-cname-of-a-host-for-which-dns-resolution-fails-nxdomain-in-g

It looks like the standard Go DNS library (which I'm using) returns an error if no A record exists, and then doesn't resolve the CNAME. And as we can see with dig, there is no A record here:

Now the weird part is: Why does it work on Mac, Linux, etc., but only not on Ubuntu on Windows? It also works on Kali on Windows, and Mint on Windows... but not Ubuntu 😄

[dub-flow]

Will probably check out other DNS libraries and see if that works better.

[dub-flow]

@cherdt could you please check out this pull request (#10) and see if it resolves the issue?

To do this, navigate into the folder of the git repo and run:

1. git remote add upstream https://github.com/dub-flow/subsnipe.git
2. git fetch upstream pull/10/head:pr-10
3. git checkout pr-10
4. go get github.com/miekg/dns - This is necessary because the go.mod hasn't been updated in the PR yet

[dub-flow]

Hmm, so introducing these new changes just leads to some other issues.

This problem is so weird: On Ubuntu WSL on ARM, Subsnipe finds the CNAME for subsnipe.osric.org, but on x86 Ubuntu, it doesn't. It looks like the reason it cannot find the CNAME is because no A record exists for subsnipe.osric.org... But why is this only on x86?

I'm gonna put this on the back burner for now because I can't quite figure out the reason for this problem.