id: soa-detect

info:
  name: SOA Record Service - Detection
  author: rxerium
  severity: info
  description: |
    Detects which domain provider a domain is using, detected through SOA records
  reference:
    - https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/
  metadata:
    verified: true
    max-request: 1
  tags: dns,soa

dns:
  - name: "{{FQDN}}"

    type: SOA

    matchers-condition: or
    matchers:
      - type: word
        name: "cloudflare"
        words:
          - "dns.cloudflare.com"

      - type: word
        name: "amazon-web-services"
        words:
          - "awsdns"

      - type: word
        name: "akamai"
        words:
          - "hostmaster.akamai.com"

      - type: word
        name: "azure"
        words:
          - "azure-dns.com"

      - type: word
        name: "ns1"
        words:
          - "nsone.net"

      - type: word
        name: "verizon"
        words:
          - "verizon.com"

      - type: word
        name: "google-cloud-platform"
        words:
          - "googledomains.com"
          - "google.com"

      - type: word
        name: "alibaba"
        words:
          - "alibabadns.com"

      - type: word
        name: "safeway"
        words:
          - "safeway.com"

      - type: word
        name: "mark-monitor"
        words:
          - "markmonitor.com"
          - "markmonitor.zone"

      - type: word
        name: "hetznet"
        words:
          - "hetzner.com"

      - type: word
        name: "edge-cast"
        words:
          - "edgecastdns.net"
# digest: 4b0a00483046022100f2cd1d2d52b6332f270dbd6c1fdfc0831c05733b5bfdec2df55ec9efafde5319022100b4f3e4adc6b6c8505cef05b98b3c52a3bc7c9a3d280d036f60abc1cfc47b0cc9:922c64590222798bb761d5b6d8e72950