soa-detection

dns/soa-detect.yaml

@@ -0,0 +1,79 @@
+id: soa-detect
+
+info:
+  name: SOA record service detection
+  author: rxerium
+  severity: info
+  description: Detects which domain provider a domain is using, detected through SOA records
+  reference:
+    - https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/
+  metadata:
+    max-request: 1
+  tags: dns,soa
+
+dns:
+  - name: "{{FQDN}}"
+    type: SOA
+    matchers-condition: or
+    matchers:
+      - type: word
+        name: "Cloudflare"
+        words:
+          - "dns.cloudflare.com"
+
+      - type: word
+        name: "Amazon Web Services"
+        words:
+          - "awsdns"
+
+      - type: word
+        name: "Akamai"
+        words:
+          - "hostmaster.akamai.com"
+
+      - type: word
+        name: "Azure"
+        words:
+          - "azure-dns.com"
+
+      - type: word
+        name: "NS1"
+        words:
+          - "nsone.net"
+
+      - type: word
+        name: "Verizon"
+        words:
+          - "verizon.com"
+
+      - type: word
+        name: "Google Cloud Platform"
+        words:
+          - "googledomains.com"
+          - "google.com"
+
+      - type: word
+        name: "Alibaba"
+        words:
+          - "alibabadns.com"
+
+      - type: word
+        name: "Safeway"
+        words:
+          - "safeway.com"
+
+      - type: word
+        name: "Mark Monitor"
+        words:
+          - "markmonitor.com"
+          - "markmonitor.zone"
+
+      - type: word
+        name: "Hetznet"
+        words:
+          - "hetzner.com"
+
+      - type: word
+        name: "Edge Cast"
+        words:
+          - "edgecastdns.net"