id: dns-waf-detect

info:
  name: DNS WAF Detection
  author: lu4nx
  severity: info
  description: A DNS WAF was detected.
  classification:
    cwe-id: CWE-200
  metadata:
    max-request: 2
  tags: tech,waf,dns

dns:
  - name: "{{FQDN}}"
    type: CNAME

  - name: "{{FQDN}}"
    type: NS
    matchers:
      - type: word
        part: answer
        name: sanfor-shield
        words:
          - ".sangfordns.com"

      - type: word
        part: answer
        name: 360panyun
        words:
          - ".360panyun.com"

      - type: word
        part: answer
        name: baiduyun
        words:
          - ".yunjiasu-cdn.net"

      - type: word
        part: answer
        name: chuangyudun
        words:
          - ".365cyd.cn"
          - ".cyudun.net"

      - type: word
        part: answer
        name: knownsec
        words:
          - ".jiashule.com"
          - ".jiasule.org"

      - type: word
        part: answer
        name: huaweicloud
        words:
          - ".huaweicloudwaf.com"

      - type: word
        part: answer
        name: xinliuyun
        words:
          - ".ngaagslb.cn"

      - type: word
        part: answer
        name: chinacache
        words:
          - ".chinacache.net"
          - ".ccgslb.net"

      - type: word
        part: answer
        name: nscloudwaf
        words:
          - ".nscloudwaf.com"

      - type: word
        part: answer
        name: wangsu
        words:
          - ".wsssec.com"
          - ".lxdns.com"
          - ".wscdns.com"
          - ".cdn20.com"
          - ".cdn30.com"
          - ".ourplat.net"
          - ".wsdvs.com"
          - ".wsglb0.com"
          - ".wswebcdn.com"
          - ".wswebpic.com"
          - ".wsssec.com"
          - ".wscloudcdn.com"
          - ".mwcloudcdn.com"

      - type: word
        part: answer
        name: qianxin
        words:
          - ".360safedns.com"
          - ".360cloudwaf.com"

      - type: word
        part: answer
        name: baiduyunjiasu
        words:
          - ".yunjiasu-cdn.net"

      - type: word
        part: answer
        name: anquanbao
        words:
          - ".anquanbao.net"

      - type: regex
        name: aliyun
        regex:
          - '\.w\.kunlun\w{2,3}\.com'

      - type: regex
        name: aliyun-waf
        regex:
          - '\.aliyunddos\d+\.com'
          - '\.aliyunwaf\.com'
          - '\.aligaofang\.com'
          - '\.aliyundunwaf\.com'

      - type: word
        part: answer
        name: xuanwudun
        words:
          - ".saaswaf.com"
          - ".dbappwaf.cn"

      - type: word
        part: answer
        name: yundun
        words:
          - ".hwwsdns.cn"
          - ".yunduncname.com"

      - type: word
        part: answer
        name: knownsec-ns
        words:
          - ".jiasule.net"

      - type: word
        part: answer
        name: chuangyudun
        words:
          - ".365cyd.net"

      - type: word
        part: answer
        name: qianxin
        words:
          - ".360wzb.com"

      - type: word
        part: answer
        name: anquanbao
        words:
          - ".anquanbao.com"

      - type: word
        part: answer
        name: wangsu
        words:
          - ".chinanetcenter.com"

      - type: word
        part: answer
        name: baiduyunjiasue
        words:
          - ".ns.yunjiasu.com"

      - type: word
        part: answer
        name: chinacache
        words:
          - ".chinacache.com"

      - type: word
        part: answer
        name: cloudflare
        words:
          - "ns.cloudflare.com"

      - type: word
        part: answer
        name: edns
        words:
          - ".iidns.com"

# digest: 4a0a0047304502200a845666375d02a84b9b0a1b56465d375357774b8c0c3a044dccf1e02fbf6267022100bf5e4f34f8e41d1cf13880ed6760c273df09e408a6d0c53c335dceeadac76182:922c64590222798bb761d5b6d8e72950