update

Author: maroofi

README.md

@@ -2,25 +2,33 @@
 
 ### bulkDNS: A fast DNS scanner for large-scale Internet measurement
 
-Using **bulkDNS**, you can scan millions of domain names in a few minutes. The scanner has been designed to be fast with a very small footprint.
+Using **bulkDNS**, you can scan millions of domain names in a few minutes. The scanner has been designed to be fast with a very small footprint. It also supports customized scan scenarios through Lua scripting.
 
 The output of bulkDNS is a detailed JSON structure (example at the end of the page) which can be parsed both by command-line (e.g., by `jq`) or any programming language.
 
 ### Menu
 
 * [How to compile bulkDNS](#How-to-compile)
+    * [Compile without Lua](#Compile-without-Lua)
+    * [Compile with Lua for customized scan scenarios](#Compile-with-Lua-for-customized-scan-scenarios)
 * [Supported Resource Records (RRs)](#Supported-Resource-Records)
 * [List of Switches](#List-of-Switches)
 * [Example Output](#Example-Output)
 * [Notes](#Notes)
-	* [A note on threads](#A-note-on-threads)
+	* [A note on threads and concurrency](#A-note-on-threads-and-concurrency)
 	* [A note on names and conventions](#Names-and-output-convention)
    	* [Hex representation of the output](#Hex-represantaion-of-the-output)
 * [FAQ](#FAQ)
 
 
 ### How to compile
 
+You have two options to compile bulkDNS. If You just want to use the scanner for scanning resource records like `A`, `AAAA`, `NS`, `MX`, etc, You can compile the scanner without Lua which is very easy. However, if you want to use `--server-mode` option or you have your own scan scenarios in mind that is more complicated than a simple resource record, then you must compile _bulkDNS_ with Lua support. Here is the instruction for both cases:
+
+#### Compile without Lua
+
+This is the first case (just scanning resource records)
+
 You need to have `jansson` and `pthread` installed.
 
 ```bash
@@ -42,12 +50,49 @@ make
 
 The compiled output is inside the `bin` directory.
 
+#### Compile with Lua for customized scan scenarios
+
+In this case, you need to have `lua5.4`, `pthread` and `jansson` installed. Here is the procedure:
+```bash
+# install lua binary
+sudo apt install lua5.4
+
+# install lua lib
+sudo apt install liblua5.4-dev
+
+# install the dependencies
+sudo apt install libpthread-stubs0-dev libjansson-dev
+
+# after installing lua, if you run pkg-config like this:
+pkg-config --cflags --libs lua5.4
+# you should see an output like this:
+# -I/usr/include/lua5.4 -llua5.4
+
+# Now clone the repository
+git clone --recurse-submodules  https://github.com/maroofi/bulkDNS.git
+
+# and make with the following commands
+cd bulkDNS
+make with-lua
+
+```
+The compiled output is inside the `bin` directory.
+
+In case the `pkg-config` commands gives you a different output for Lua headers and library locations, then 
+you must specify the values in the make file like this:
+
+```bash
+make LUALIB=<your-lua-lib-name> LUAINCDIR=<your-path-to-lua-include-dir> with-lua
+```
+
+That's all!
+
+
 ### Supported Resource Records
 
 Currently, bulkDNS supports the following 17 RRs:
 
-**A**, **AAAA**, **NS**, **RRSIG**, **SOA**, **MX**, **SRV**, **PTR**, **HINFO**, **TXT**, **CNAME**, **URI**,
-**NID**, **L32**, **L64**, **LP**, **CAA**
+**A**, **AAAA**, **NS**, **RRSIG**, **SOA**, **MX**, **SRV**, **PTR**, **HINFO**, **TXT**, **CNAME**, **URI**, **NID**, **L32**, **L64**, **LP**, **CAA**
 
 It also supports adding **EDNS0** (**DNSSEC-OK** and **NSID**) to queries.
 
@@ -70,27 +115,31 @@ All the RRs and EDNS0 are implemented based on the following RFCs (Some implemen
 [Help]
 
 Summary:
-BulkDNS scanner based on sdns low-level DNS library.
-
-./bulkdns [OPTIONS] <INPUT|FILE>
-	            --udp-only 	        Only query using UDP connection (Default will follow TCP)
-	            --set-do 	        Set DNSSEC OK (DO) bit in queries (default is no DO)
-	            --noedns 	        Do not support EDNS0 in queries (Default supports EDNS0)
-                    --set-nsid 	        The packet has NSID in edns0
-	            --threads=<param>	How many threads should be used (it's pthreads, and default is 300)
-	-t <param>, --type=<param>	Resource Record type (A, AAAA, NS, etc). Default is 'A'
-	-c <param>, --class=<param>	RR Class (IN, CH). Default is 'IN'
-	-r <param>, --resolver=<param>	Resolver IP address to send the query to (default 1.1.1.1)
-	-p <param>, --port=<param>	Resolver port number to send the query to (default 53)
-	-o <param>, --output=<param>	Output file name (default is the terminal with stdout)
-	-e <param>, --error=<param>	where to write the error (default is terminal with stderr)
-	-h ,        --help 	        Print this help message
+Bulk DNS scanner based on sdns low-level DNS library.
 
-	We currently supports the following RR:
-		A, AAAA, NS, RRSIG, SOA, MX, SRV, URI, PTR,
-		HINFO, TXT, CNAME, NID, L32, L64, LP, CAA
-	Supported DNS classes: IN, CH
+./bulkdns [OPTIONS] <INPUT|FILE>	
 
+	-t <param>, --type=<param>		Resource Record type (Default is 'A')
+	-c <param>, --class=<param>		RR Class (IN, CH). Default is 'IN'
+	-r <param>, --resolver=<param>	Resolver IP address to send the query to (default 1.1.1.1)
+	-p <param>, --port=<param>		Resolver port number to send the query to (default 53)
+	-e <param>, --error=<param>		where to write the error (default is terminal with stderr)
+	-o <param>, --output=<param>	Output file name (default is the terminal with stdout)
+	--lua-script=<param>			Lua script to be used either for scan or server mode
+	--bind-ip=<param>			    IP address to bind (default 127.0.0.1 for scan mode, 0.0.0.0 for server-mode)
+	--timeout=<param>			    Timeout of the socket (default is 5 seconds)
+	--concurrency=<param>			How many concurrent requests should we send (default is 1000)
+	--udp-only				        Only query using UDP connection (Default will follow TCP)
+	--set-do				        Set DNSSEC OK (DO) bit in queries (default is no DO)
+	--set-nsid				        The packet has NSID in edns0
+	--noedns				        Do not support EDNS0 in queries (Default supports EDNS0)
+	--server-mode				    Run bulkDNS in server mode
+	-h, --help				        Print this help message
+
+bulkDNS currently supports the following RRs:
+	A, AAAA, NS, RRSIG, SOA, MX, SRV, URI, PTR,
+	HINFO, TXT, CNAME, NID, L32, L64, LP, CAA
+Supported DNS classes: IN, CH
 ```
 
 ### Example Output
@@ -148,20 +197,21 @@ We try to keep the output as close as possible to DNS RFC standards.
 
 ### Notes
 
-#### A note on threads
+#### A note on threads and concurrency
 
 * bulkDNS is capable of scanning 1,000,000 (1M) domain names in around 5 minutes with less than 1% of errors using default number of threads (300). That means you can
 scan the whole domain name system in less than one day.
 This makes it probably the most practical (and maybe fastest) DNS scanner. It does not have any requirements in terms of CPU or RAM. As all other network scanners,
 the bottleneck is always the network bandwidth, firewalls and the remote recursive resolver. We recommend using Cloudflare quad one (1.1.1.1) as the resolver since 
 it has no limit in terms of the number of queries. However, you can also run your own recursive resolver to do the job. If you decrease the number of threads, you can
-also use google quad eight (8.8.8.8) which has 1,500 queries/second limit.
+also use google quad-eight (8.8.8.8) which has 1,500 queries/second limit.
+
+* Using `--concurrency` option, you can increase or decrease the number of concurrent requests based on your network and your experience. It's important to note that if you set `--concurrency=1000`, it means you ask for openning 1,000
+sockets (which means binding to 1,000 ports) at the same time.
 
-* Using `--threads` option, you can increase or decrease the number of threads based on your network and your experience. However, at some point, more threads will probably 
-make the scanner even slower (threads competing each other to acquire the lock). 
+* If you are running the scanner on Linux, the maximum number of open files is 1024 by default. So if you plan to set
+the `--concurrency` to a value greater than 1000, then you need to increse the limit of open files using `ulimit -n` commands.
 
-* If you are running the scanner on Linux, the maximum number of open files is 1024 by default which is three times more than the default number of threads in bulkDNS.
-However, if you plan to run bulkDNS with more threads, you may want to increase the number of open files using the `ulimit -n` commands.
 
 
 #### Names and output convention
@@ -211,10 +261,12 @@ In the above example the `cpu` is the hex represantation of `some-kinda-cpu` and
 
 ### FAQ
 1. Why another scanner?
-   - Because I feel like it
+   - Because It's fun!
 1. Why not using CMake in the project?
    - I don't know CMake
 2. Is there any similar project like this?
    - The only comparable project to this one (that I'm aware of) is zmap/zdns. 
 3. Can I pass a domain name (e.g., `ns1.google.com` as the resolver)?
    - No. The resolver must be an IPv4 address. We pass this value to `inet_addr()` function which accepts an IPv4.
+4. How fast it can scan domain names?
+   - It highly depends on your network and the (remote) resolver you use.

include/scanner.h

@@ -4,7 +4,8 @@
 #include <stdlib.h>
 #include <netinet/in.h>
 #include <pthread.h>
-
+#include <poll.h>
+#include <signal.h>
 #include <cmdparser.h>
 #include <cqueue.h>
 
@@ -14,6 +15,8 @@
 
 #define BULKDNS_MAX_QUEUE_SIZE 1000000
 
+#define BULKDNS_MAX_SOCKET_FOR_POLL 32
+
 
 struct scanner_input {
     int udp_only;                   // should we send only udp queries?
@@ -31,7 +34,7 @@ struct scanner_input {
     FILE * OUTPUT;                  // output file handle
     FILE * ERROR;                   // error file handle
     FILE * INPUT;                   // input file handle
-    unsigned int threads;           // number of threads to perform the scan
+    unsigned int concurrency;       // number of concurrent requests (This is the number of open sockets/ports)
     unsigned int server_mode;       // should we work in server mode instead of active scan
     char * lua_file;                // Lua file to use either in server mode or custom scan
     char * bind_ip;                 // this is the IP address we want to bind to in server-mode
@@ -42,9 +45,21 @@ struct thread_param {
     struct scanner_input * si;
     pthread_mutex_t lock;
     cqueue_ctx * qinput;
-    cqueue_ctx * qoutput;
+    cqueue_ctx * queue_tcp;
 };
 
+typedef struct{
+    int * sock_list;
+    int num_sock;
+    struct thread_param * tp;
+}scan_mode_receiver_param;
+
+
+typedef struct {
+    void * item;
+    int udp_sock;
+    struct sockaddr_in server;
+}scan_mode_worker_item;
 
 
 // server-mode structure definition
@@ -78,17 +93,24 @@ typedef struct{
 
 
 //server-mode function declaration
-
+void handle_read_socket(int sockfd, char * mem_result, struct thread_param * tp);
+int udp_socket_send(char * tosend_buffer, size_t tosend_len, int sockfd, struct sockaddr_in server);
 void server_mode_to_log(const char * msg, FILE* fd);
 void server_mode_run_all(server_mode_server_param *smsp);
 void switch_server_mode(struct scanner_input *);
 
 
 // scan mode function declaration
+void * tcp_routine_handler(void * ptr);
+void * scan_receiver_routine(void * ptr);
+void * read_item_from_queue(struct thread_param * tp);
 
+int init_udp_socket(struct scanner_input * si);
+#ifdef COMPILE_WITH_LUA
 void * scan_lua_worker_routine(void * ptr);
-void dns_routine_scan(void*, struct scanner_input * si, char * mem_result);
-int perform_lookup_udp(char * tosend_buffer, size_t tosend_len, char ** toreceive_buffer, size_t * toreceive_len, struct scanner_input * si);
+#endif
+void dns_routine_scan(scan_mode_worker_item*, struct scanner_input * si, char * mem_result);
+int perform_lookup_udp(char * tosend_buffer, size_t tosend_len, char ** toreceive_buffer, size_t * toreceive_len, struct scanner_input * si, int sockfd);
 int perform_lookup_tcp(char * tosend_buffer, size_t tosend_len, char ** toreceive_buffer, size_t * toreceive_len, struct scanner_input * si);
 void *scan_worker_routine(void * ptr);
 int convert_type_to_int(char * type);

src/cmdparser.c

@@ -294,34 +294,66 @@ void arg_free(ARG_PARSED_ARGS * parsed){
 
 void arg_show_help(PARG_CMDLINE cmd, int argc, char ** argv){
     fprintf(stdout, "[Help]\n\n");   
-    PARG_CMD_OPTION tmp = cmd->cmd_option;
-    const char * has_param = "<param>";
-    const char * no_param = "";
-    const char * check_param;
-    char equal = '=';
     fprintf(stdout, "Summary:\n");
     fprintf(stdout, "%s", cmd->summary);
     fprintf(stdout, "\n\n");
     fprintf(stdout, "%s [OPTIONS] ", argv[0]);
     fprintf(stdout, "%s\t", cmd->accept_file?"<INPUT|FILE>":"");
-    fprintf(stdout, "\n");
-    tmp = cmd->cmd_option;
-    while (tmp->tag != NULL){
-       check_param = tmp->has_param == 1?has_param:no_param;
-       equal = tmp->has_param == 1?'=':' ';
-       char shrt = tmp->short_option == 0?' ':tmp->short_option;
-       char dash = tmp->short_option == 0?' ':'-';
-       int has_shrt = tmp->short_option == 0?0:1;
-       char ddash[3] = {'-', '-', 0};
-       int put_ddash = strcmp(tmp->long_option, "") == 0?0:1;
-       char virgul = has_shrt && put_ddash?',':' ';
-       char * pddash = put_ddash?ddash:"\t";
-       fprintf(stdout, "\t%c%c %s%c %s%s%c%s\t%s\n",dash, shrt, has_shrt?check_param:"", virgul,pddash, tmp->long_option, equal, check_param, tmp->help);
-       tmp++;
-    }
-    fprintf(stdout, "\nWe currently supports the following RR:\n");
+    fprintf(stdout, "\n\n");
+
+    fprintf(stdout, "\t-t <param>, --type=<param>\t\t");
+    fprintf(stdout, "Resource Record type (Default is 'A')\n");
+
+    fprintf(stdout, "\t-c <param>, --class=<param>\t\t");
+    fprintf(stdout, "RR Class (IN, CH). Default is 'IN'\n");
+
+    fprintf(stdout, "\t-r <param>, --resolver=<param>\t\t");
+    fprintf(stdout, "Resolver IP address to send the query to (default 1.1.1.1)\n");
+
+    fprintf(stdout, "\t-p <param>, --port=<param>\t\t");
+    fprintf(stdout, "Resolver port number to send the query to (default 53)\n");
+
+    fprintf(stdout, "\t-e <param>, --error=<param>\t\t");
+    fprintf(stdout, "where to write the error (default is terminal with stderr)\n");
+
+    fprintf(stdout, "\t-o <param>, --output=<param>\t\t");
+    fprintf(stdout, "Output file name (default is the terminal with stdout)\n");
+
+    fprintf(stdout, "\t--lua-script=<param>\t\t\t");
+    fprintf(stdout, "Lua script to be used either for scan or server mode\n");
+
+    fprintf(stdout, "\t--bind-ip=<param>\t\t\t");
+    fprintf(stdout, "IP address to bind (default 127.0.0.1 for scan mode, 0.0.0.0 for server-mode)\n");
+
+    fprintf(stdout, "\t--timeout=<param>\t\t\t");
+    fprintf(stdout, "Timeout of the socket (default is 5 seconds)\n");
+
+    fprintf(stdout, "\t--concurrency=<param>\t\t\t");
+    fprintf(stdout, "How many concurrent requests should we send (default is 1000)\n");
+
+    fprintf(stdout, "\t--udp-only\t\t\t\t");
+    fprintf(stdout, "Only query using UDP connection (Default will follow TCP)\n");
+
+    fprintf(stdout, "\t--set-do\t\t\t\t");
+    fprintf(stdout, "Set DNSSEC OK (DO) bit in queries (default is no DO)\n");
+
+    fprintf(stdout, "\t--set-nsid\t\t\t\t");
+    fprintf(stdout, "The packet has NSID in edns0\n");
+
+    fprintf(stdout, "\t--noedns\t\t\t\t");
+    fprintf(stdout, "Do not support EDNS0 in queries (Default supports EDNS0)\n");
+
+    fprintf(stdout, "\t--server-mode\t\t\t\t");
+    fprintf(stdout, "Run bulkDNS in server mode\n");
+
+    fprintf(stdout, "\t-h, --help\t\t\t\t");
+    fprintf(stdout, "Print this help message\n");
+
+    fprintf(stdout, "\nbulkDNS currently supports the following RRs:\n");
     fprintf(stdout, "\tA, AAAA, NS, RRSIG, SOA, MX, SRV, URI, PTR,\n");
     fprintf(stdout, "\tHINFO, TXT, CNAME, NID, L32, L64, LP, CAA\n");
     fprintf(stdout, "Supported DNS classes: IN, CH\n\n\n");
+    fprintf(stdout, "Please report bugs to:\n");
+    fprintf(stdout, "\thttps://github.com/maroofi/bulkDNS\n\n");
 }