2322f69516
Add WiFi Audit, API Fuzzer, Cloud Scanner, Threat Intel, Log Correlator, Steganography, Anti-Forensics, BLE Scanner, Forensics, RFID/NFC, Malware Sandbox, Password Toolkit, Web Scanner, Report Engine, Net Mapper, and C2 Framework. Each module includes CLI interface, Flask routes, and web UI template. Also includes Go DNS server source + binary, IP Capture service, SYN Flood, Gone Fishing mail server, and hack hijack modules from v2.0 work. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
85 lines
2.9 KiB
Go
85 lines
2.9 KiB
Go
package config
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
)
|
|
|
|
// Config holds all DNS server configuration.
|
|
type Config struct {
|
|
ListenDNS string `json:"listen_dns"`
|
|
ListenAPI string `json:"listen_api"`
|
|
APIToken string `json:"api_token"`
|
|
Upstream []string `json:"upstream"`
|
|
CacheTTL int `json:"cache_ttl"`
|
|
ZonesDir string `json:"zones_dir"`
|
|
DNSSECKeyDir string `json:"dnssec_keys_dir"`
|
|
LogQueries bool `json:"log_queries"`
|
|
|
|
// Hosts file support
|
|
HostsFile string `json:"hosts_file"` // Path to hosts file (e.g., /etc/hosts)
|
|
HostsAutoLoad bool `json:"hosts_auto_load"` // Auto-load system hosts file on start
|
|
|
|
// Encryption
|
|
EnableDoH bool `json:"enable_doh"` // DNS-over-HTTPS to upstream
|
|
EnableDoT bool `json:"enable_dot"` // DNS-over-TLS to upstream
|
|
|
|
// Security hardening
|
|
RateLimit int `json:"rate_limit"` // Max queries/sec per source IP (0=unlimited)
|
|
BlockList []string `json:"block_list"` // Blocked domain patterns
|
|
AllowTransfer []string `json:"allow_transfer"` // IPs allowed zone transfers (empty=none)
|
|
MinimalResponses bool `json:"minimal_responses"` // Minimize response data
|
|
RefuseANY bool `json:"refuse_any"` // Refuse ANY queries (amplification protection)
|
|
MaxUDPSize int `json:"max_udp_size"` // Max UDP response size
|
|
|
|
// Advanced
|
|
QueryLogMax int `json:"querylog_max"` // Max query log entries (default 1000)
|
|
NegativeCacheTTL int `json:"negative_cache_ttl"` // TTL for NXDOMAIN cache (default 60)
|
|
PrefetchEnabled bool `json:"prefetch_enabled"` // Prefetch expiring cache entries
|
|
ServFailCacheTTL int `json:"servfail_cache_ttl"` // TTL for SERVFAIL cache (default 30)
|
|
}
|
|
|
|
// DefaultConfig returns security-hardened defaults.
|
|
// No upstream forwarders — full recursive resolution from root hints.
|
|
// Upstream can be configured as optional fallback if recursive fails.
|
|
func DefaultConfig() *Config {
|
|
return &Config{
|
|
ListenDNS: "0.0.0.0:53",
|
|
ListenAPI: "127.0.0.1:5380",
|
|
APIToken: generateToken(),
|
|
Upstream: []string{}, // Empty = pure recursive from root hints
|
|
CacheTTL: 300,
|
|
ZonesDir: "data/dns/zones",
|
|
DNSSECKeyDir: "data/dns/keys",
|
|
LogQueries: true,
|
|
|
|
// Hosts
|
|
HostsFile: "",
|
|
HostsAutoLoad: false,
|
|
|
|
// Encryption defaults
|
|
EnableDoH: true,
|
|
EnableDoT: true,
|
|
|
|
// Security defaults
|
|
RateLimit: 100, // 100 qps per source IP
|
|
BlockList: []string{},
|
|
AllowTransfer: []string{}, // No zone transfers
|
|
MinimalResponses: true,
|
|
RefuseANY: true, // Block DNS amplification attacks
|
|
MaxUDPSize: 1232, // Safe MTU, prevent fragmentation
|
|
|
|
// Advanced defaults
|
|
QueryLogMax: 1000,
|
|
NegativeCacheTTL: 60,
|
|
PrefetchEnabled: false,
|
|
ServFailCacheTTL: 30,
|
|
}
|
|
}
|
|
|
|
func generateToken() string {
|
|
b := make([]byte, 16)
|
|
rand.Read(b)
|
|
return hex.EncodeToString(b)
|
|
}
|