mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-30 20:31:15 +01:00
Ignore $HOME/.digrc
Newer dig versions have an option to ignore $HOME/.digrc, older don't. This commit adds a patch checking for the availability of such an option and uses it by default. See #1894 . If this option doesn't exist then still dig is used and can still lead to wrong output. Unfortunately Debian-based distros are not very good at this. Debian 10, Ubuntu 18.04 still use dig 9.11, whereas Opensuse 15.2 has 9.16. Debian 11 and Ubuntu 20.04 use that too.
This commit is contained in:
Dirk
parent
c40a3a7d02
commit
439aad1f22
29
testssl.sh
29
testssl.sh
@ -351,6 +351,8 @@ HAS_ZLIB=false
|
|||||||
HAS_UDS=false
|
HAS_UDS=false
|
||||||
HAS_UDS2=false
|
HAS_UDS2=false
|
||||||
HAS_DIG=false
|
HAS_DIG=false
|
||||||
|
HAS_DIG_R=true
|
||||||
|
DIG_R="-r"
|
||||||
HAS_HOST=false
|
HAS_HOST=false
|
||||||
HAS_DRILL=false
|
HAS_DRILL=false
|
||||||
HAS_NSLOOKUP=false
|
HAS_NSLOOKUP=false
|
||||||
@ -19564,6 +19566,7 @@ HAS_IDN: $HAS_IDN
|
|||||||
HAS_IDN2: $HAS_IDN2
|
HAS_IDN2: $HAS_IDN2
|
||||||
HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE
|
HAS_AVAHIRESOLVE: $HAS_AVAHIRESOLVE
|
||||||
HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT
|
HAS_DIG_NOIDNOUT: $HAS_DIG_NOIDNOUT
|
||||||
|
HAS_DIG_R: $HAS_DIG_R
|
||||||
HAS_XXD: $HAS_XXD
|
HAS_XXD: $HAS_XXD
|
||||||
|
|
||||||
PATH: $PATH
|
PATH: $PATH
|
||||||
@ -20026,12 +20029,18 @@ check_resolver_bins() {
|
|||||||
type -p idn &>/dev/null && HAS_IDN=true
|
type -p idn &>/dev/null && HAS_IDN=true
|
||||||
type -p idn2 &>/dev/null && HAS_IDN2=true
|
type -p idn2 &>/dev/null && HAS_IDN2=true
|
||||||
|
|
||||||
|
# Old dig versions don't have an option to ignore $HOME/.digrc
|
||||||
|
if dig -r 2>&1 | grep -qiE 'invalid|usage'; then
|
||||||
|
HAS_DIG_R=false
|
||||||
|
DIG_R=""
|
||||||
|
fi
|
||||||
|
|
||||||
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then
|
if ! "$HAS_DIG" && ! "$HAS_HOST" && ! "$HAS_DRILL" && ! "$HAS_NSLOOKUP"; then
|
||||||
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN
|
fatal "Neither \"dig\", \"host\", \"drill\" or \"nslookup\" is present" $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
if "$HAS_DIG"; then
|
if "$HAS_DIG"; then
|
||||||
if dig +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
|
if dig $DIG_R +noidnout -t a 2>&1 | grep -Eq 'Invalid option: \+noidnout|IDN support not enabled'; then
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
HAS_DIG_NOIDNOUT=true
|
HAS_DIG_NOIDNOUT=true
|
||||||
@ -20065,13 +20074,13 @@ get_a_record() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
ip4=$(filter_ip4_address $(avahi-resolve -4 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip4=$(filter_ip4_address $(dig @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
|
ip4=$(filter_ip4_address $(dig $DIG_R @224.0.0.251 -p 5353 +short -t a +notcp "$1" 2>/dev/null | sed '/^;;/d'))
|
||||||
else
|
else
|
||||||
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]] && "$HAS_DIG"; then
|
if [[ -z "$ip4" ]] && "$HAS_DIG"; then
|
||||||
ip4=$(filter_ip4_address $(dig +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
ip4=$(filter_ip4_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t a "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
||||||
fi
|
fi
|
||||||
if [[ -z "$ip4" ]] && "$HAS_HOST"; then
|
if [[ -z "$ip4" ]] && "$HAS_HOST"; then
|
||||||
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
|
ip4=$(filter_ip4_address $(host -t a "$1" 2>/dev/null | awk '/address/ { print $NF }'))
|
||||||
@ -20109,12 +20118,12 @@ get_aaaa_record() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
ip6=$(filter_ip6_address $(avahi-resolve -6 -n "$1" 2>/dev/null | awk '{ print $2 }'))
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip6=$(filter_ip6_address $(dig @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
ip6=$(filter_ip6_address $(dig $DIG_R @ff02::fb -p 5353 -t aaaa +short +notcp "$NODE"))
|
||||||
else
|
else
|
||||||
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
fatal "Local hostname given but no 'avahi-resolve' or 'dig' available." $ERR_DNSBIN
|
||||||
fi
|
fi
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
ip6=$(filter_ip6_address $(dig +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
ip6=$(filter_ip6_address $(dig $DIG_R +short +timeout=2 +tries=2 $noidnout -t aaaa "$1" 2>/dev/null | awk '/^[0-9]/ { print $1 }'))
|
||||||
elif "$HAS_HOST"; then
|
elif "$HAS_HOST"; then
|
||||||
ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
|
ip6=$(filter_ip6_address $(host -t aaaa "$1" | awk '/address/ { print $NF }'))
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
@ -20150,7 +20159,7 @@ get_caa_rr_record() {
|
|||||||
# caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
|
# caa_property then has key/value pairs, see https://tools.ietf.org/html/rfc6844#section-3
|
||||||
OPENSSL_CONF=""
|
OPENSSL_CONF=""
|
||||||
if "$HAS_DIG"; then
|
if "$HAS_DIG"; then
|
||||||
raw_caa="$(dig +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
|
raw_caa="$(dig $DIG_R +short +timeout=3 +tries=3 $noidnout type257 "$1" 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
|
||||||
# empty if no CAA record
|
# empty if no CAA record
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
|
raw_caa="$(drill $1 type257 | awk '/'"^${1}"'.*CAA/ { print $5,$6,$7 }')"
|
||||||
@ -20221,7 +20230,7 @@ get_mx_record() {
|
|||||||
if "$HAS_HOST"; then
|
if "$HAS_HOST"; then
|
||||||
mx="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
|
mx="$(host -t MX "$1" 2>/dev/null | awk '/is handled by/ { print $(NF-1), $NF }')"
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
mx="$(dig +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
|
mx="$(dig $DIG_R +short $noidnout -t MX "$1" 2>/dev/null | awk '/^[0-9]/ { print $1" "$2 }')"
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
mx="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
|
mx="$(drill mx $1 | awk '/IN[ \t]MX[ \t]+/ { print $(NF-1), $NF }')"
|
||||||
elif "$HAS_NSLOOKUP"; then
|
elif "$HAS_NSLOOKUP"; then
|
||||||
@ -20248,7 +20257,7 @@ get_txt_record() {
|
|||||||
if "$HAS_HOST"; then
|
if "$HAS_HOST"; then
|
||||||
record="$(host -t TXT "$1" 2>/dev/null | awk -F\" '/descriptive text/ { print $(NF-1) }')"
|
record="$(host -t TXT "$1" 2>/dev/null | awk -F\" '/descriptive text/ { print $(NF-1) }')"
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
record="$(dig +short $noidnout -t TXT "$1" 2>/dev/null)"
|
record="$(dig $DIG_R +short $noidnout -t TXT "$1" 2>/dev/null)"
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
record="$(drill txt $1 | awk -F\" '/^[a-z0-9].*TXT/ { print $(NF-1) }')"
|
record="$(drill txt $1 | awk -F\" '/^[a-z0-9].*TXT/ { print $(NF-1) }')"
|
||||||
elif "$HAS_NSLOOKUP"; then
|
elif "$HAS_NSLOOKUP"; then
|
||||||
@ -20348,11 +20357,11 @@ determine_rdns() {
|
|||||||
if "$HAS_AVAHIRESOLVE"; then
|
if "$HAS_AVAHIRESOLVE"; then
|
||||||
rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
|
rDNS=$(avahi-resolve -a $nodeip 2>/dev/null | awk '{ print $2 }')
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
rDNS=$(dig -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
|
rDNS=$(dig $DIG_R -x $nodeip @224.0.0.251 -p 5353 +notcp +noall +answer +short | awk '{ print $1 }')
|
||||||
fi
|
fi
|
||||||
elif "$HAS_DIG"; then
|
elif "$HAS_DIG"; then
|
||||||
# 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
|
# 1+2 should suffice. It's a compromise for if e.g. network is down but we have a docker/localhost server
|
||||||
rDNS=$(dig -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
|
rDNS=$(dig $DIG_R -x $nodeip +timeout=1 +tries=2 +noall +answer +short | awk '{ print $1 }') # +short returns also CNAME, e.g. openssl.org
|
||||||
elif "$HAS_HOST"; then
|
elif "$HAS_HOST"; then
|
||||||
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
rDNS=$(host -t PTR $nodeip 2>/dev/null | awk '/pointer/ { print $NF }')
|
||||||
elif "$HAS_DRILL"; then
|
elif "$HAS_DRILL"; then
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user