dns-security-mcp 0.1.0

package/dist/infra/index.js

@@ -0,0 +1,797 @@
+import { z } from "zod";
+import { json } from "../types/index.js";
+import { queryRaw, queryTcp, createResolver } from "../utils/dns-client.js";
+import * as dnsPacket from "dns-packet";
+import * as dgram from "node:dgram";
+// ─── Known CVE Patterns ───
+const BIND_CVES = [
+    { version: /^9\.16\.[0-7]$/, cves: ["CVE-2020-8617", "CVE-2020-8616"] },
+    { version: /^9\.16\.[0-9]$/, cves: ["CVE-2020-8622", "CVE-2020-8623"] },
+    { version: /^9\.11\.[0-9]$/, cves: ["CVE-2020-8616", "CVE-2019-6465"] },
+    { version: /^9\.11\.([0-4]|5$)/, cves: ["CVE-2018-5743", "CVE-2018-5740"] },
+    { version: /^9\.9\./, cves: ["CVE-2016-2776", "CVE-2016-1286"] },
+    { version: /^9\.10\./, cves: ["CVE-2016-2776", "CVE-2016-8864"] },
+    { version: /^9\.18\.[0-3]$/, cves: ["CVE-2022-2795", "CVE-2022-2881"] },
+];
+const POWERDNS_CVES = [
+    { version: /^4\.0\./, cves: ["CVE-2016-7068", "CVE-2016-7072"] },
+    { version: /^4\.1\.[0-7]$/, cves: ["CVE-2019-3871", "CVE-2018-10851"] },
+    { version: /^4\.2\.[0-1]$/, cves: ["CVE-2020-17482"] },
+    { version: /^4\.3\.[0-1]$/, cves: ["CVE-2021-36754"] },
+];
+const UNBOUND_CVES = [
+    { version: /^1\.[0-5]\./, cves: ["CVE-2017-15105", "CVE-2019-18934"] },
+    { version: /^1\.6\.[0-7]$/, cves: ["CVE-2019-18934", "CVE-2017-15105"] },
+    { version: /^1\.7\.[0-2]$/, cves: ["CVE-2019-18934"] },
+    { version: /^1\.(9|10|11|12)\.[0-1]$/, cves: ["CVE-2022-30698", "CVE-2022-30699"] },
+];
+// ─── Helpers ───
+function parseVersionString(txt) {
+    const bindMatch = txt.match(/BIND\s+([\d.]+[a-zA-Z0-9-]*)/i);
+    if (bindMatch)
+        return { software: "BIND", version: bindMatch[1] };
+    const pdnsMatch = txt.match(/PowerDNS.*?([\d.]+)/i);
+    if (pdnsMatch)
+        return { software: "PowerDNS", version: pdnsMatch[1] };
+    const unboundMatch = txt.match(/unbound\s+([\d.]+)/i);
+    if (unboundMatch)
+        return { software: "Unbound", version: unboundMatch[1] };
+    const nsdMatch = txt.match(/NSD\s+([\d.]+)/i);
+    if (nsdMatch)
+        return { software: "NSD", version: nsdMatch[1] };
+    const knMatch = txt.match(/Knot DNS\s+([\d.]+)/i);
+    if (knMatch)
+        return { software: "Knot DNS", version: knMatch[1] };
+    return null;
+}
+function lookupCves(software, version) {
+    const cves = [];
+    const entries = software === "BIND" ? BIND_CVES :
+        software === "PowerDNS" ? POWERDNS_CVES :
+            software === "Unbound" ? UNBOUND_CVES :
+                [];
+    for (const entry of entries) {
+        if (entry.version.test(version)) {
+            cves.push(...entry.cves);
+        }
+    }
+    return [...new Set(cves)];
+}
+async function sendChaosQuery(nameserver, qname, port = 53, timeout = 5000) {
+    const buf = dnsPacket.encode({
+        type: "query",
+        id: Math.floor(Math.random() * 65535),
+        flags: dnsPacket.RECURSION_DESIRED,
+        questions: [
+            {
+                type: "TXT",
+                name: qname,
+                class: "CH",
+            },
+        ],
+    });
+    return new Promise((resolve) => {
+        const socket = dgram.createSocket("udp4");
+        const timer = setTimeout(() => {
+            socket.close();
+            resolve(null);
+        }, timeout);
+        socket.on("message", (msg) => {
+            clearTimeout(timer);
+            socket.close();
+            try {
+                const res = dnsPacket.decode(msg);
+                for (const answer of res.answers ?? []) {
+                    if (answer.type === "TXT" && answer.data) {
+                        const data = answer.data;
+                        if (Buffer.isBuffer(data))
+                            return resolve(data.toString("utf-8"));
+                        if (Array.isArray(data))
+                            return resolve(data.map((d) => d.toString("utf-8")).join(""));
+                        if (typeof data === "string")
+                            return resolve(data);
+                    }
+                }
+                resolve(null);
+            }
+            catch {
+                resolve(null);
+            }
+        });
+        socket.on("error", () => {
+            clearTimeout(timer);
+            socket.close();
+            resolve(null);
+        });
+        socket.send(buf, 0, buf.length, port, nameserver);
+    });
+}
+// ─── Tool 1: infra_open_resolver ───
+const infraOpenResolver = {
+    name: "infra_open_resolver",
+    description: "Test if a DNS nameserver is an open resolver (accepts recursive queries from any source). Open resolvers can be abused for DDoS amplification attacks. Also checks EDNS0 buffer size from OPT record.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        try {
+            const result = await queryRaw("google.com", "A", nameserver, 53, { rd: true, dnssec: true });
+            const isOpen = result.answers.length > 0 && result.rcode === "NOERROR";
+            const recursionAvailable = result.flags.recursionAvailable;
+            let ednsBufferSize = null;
+            for (const add of result.additionals) {
+                if (add.type === "OPT") {
+                    ednsBufferSize = add.udpPayloadSize ?? null;
+                }
+            }
+            const findings = [];
+            if (isOpen && recursionAvailable) {
+                findings.push("CRITICAL: Server is an open resolver (responds to recursive queries from external sources)");
+                findings.push("Risk: Can be abused for DNS amplification DDoS attacks");
+                findings.push("Remediation: Restrict recursion to trusted networks using ACLs");
+            }
+            if (ednsBufferSize && ednsBufferSize > 4096) {
+                findings.push(`WARNING: Large EDNS0 buffer size (${ednsBufferSize} bytes) increases amplification potential`);
+            }
+            return json({
+                nameserver,
+                is_open_resolver: isOpen && recursionAvailable,
+                recursion_available: recursionAvailable,
+                rcode: result.rcode,
+                answers_count: result.answers.length,
+                edns0_buffer_size: ednsBufferSize,
+                findings: findings.length > 0 ? findings : ["OK: Server does not appear to be an open resolver"],
+            });
+        }
+        catch (err) {
+            return json({
+                nameserver,
+                is_open_resolver: false,
+                error: err.message,
+                findings: ["Server did not respond to recursive query (may be filtered or non-existent)"],
+            });
+        }
+    },
+};
+// ─── Tool 2: infra_amplification ───
+const infraAmplification = {
+    name: "infra_amplification",
+    description: "Measure DNS amplification factor of a nameserver. Sends a small query (ANY for root) and measures the response size ratio. Amplification factor > 10x indicates significant DDoS risk.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        try {
+            const queryBuf = dnsPacket.encode({
+                type: "query",
+                id: Math.floor(Math.random() * 65535),
+                flags: dnsPacket.RECURSION_DESIRED,
+                questions: [{ type: "ANY", name: ".", class: "IN" }],
+            });
+            const queryBytes = queryBuf.length;
+            const responseBytes = await new Promise((resolve, reject) => {
+                const socket = dgram.createSocket("udp4");
+                const timer = setTimeout(() => {
+                    socket.close();
+                    reject(new Error("Timeout waiting for DNS response"));
+                }, 5000);
+                socket.on("message", (msg) => {
+                    clearTimeout(timer);
+                    socket.close();
+                    resolve(msg.length);
+                });
+                socket.on("error", (err) => {
+                    clearTimeout(timer);
+                    socket.close();
+                    reject(err);
+                });
+                socket.send(queryBuf, 0, queryBuf.length, 53, nameserver);
+            });
+            const amplificationFactor = parseFloat((responseBytes / queryBytes).toFixed(2));
+            const findings = [];
+            if (amplificationFactor > 50) {
+                findings.push(`CRITICAL: Extreme amplification factor (${amplificationFactor}x)`);
+            }
+            else if (amplificationFactor > 10) {
+                findings.push(`HIGH: Significant amplification factor (${amplificationFactor}x)`);
+            }
+            else if (amplificationFactor > 5) {
+                findings.push(`MEDIUM: Moderate amplification factor (${amplificationFactor}x)`);
+            }
+            else {
+                findings.push(`LOW: Minimal amplification factor (${amplificationFactor}x)`);
+            }
+            return json({
+                nameserver,
+                query_bytes: queryBytes,
+                response_bytes: responseBytes,
+                amplification_factor: amplificationFactor,
+                risk_level: amplificationFactor > 50 ? "critical" : amplificationFactor > 10 ? "high" : amplificationFactor > 5 ? "medium" : "low",
+                findings,
+            });
+        }
+        catch (err) {
+            return json({
+                nameserver,
+                error: err.message,
+                findings: ["Could not measure amplification factor (server may not respond to ANY queries)"],
+            });
+        }
+    },
+};
+// ─── Tool 3: infra_rate_limiting ───
+const infraRateLimiting = {
+    name: "infra_rate_limiting",
+    description: "Test if a DNS nameserver has Response Rate Limiting (RRL) enabled. Sends a burst of identical queries and checks for REFUSED responses or dropped packets, indicating active rate limiting.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+        queries: z
+            .number()
+            .optional()
+            .describe("Number of burst queries to send (default: 20)"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        const queryCount = args.queries ?? 20;
+        const results = [];
+        const startTime = Date.now();
+        const promises = Array.from({ length: queryCount }, async (_, i) => {
+            const queryStart = Date.now();
+            try {
+                const res = await queryRaw("example.com", "A", nameserver, 53, { rd: true });
+                results.push({
+                    status: res.rcode === "REFUSED" ? "refused" : "success",
+                    rcode: res.rcode,
+                    time_ms: Date.now() - queryStart,
+                });
+            }
+            catch (err) {
+                const errMsg = err.message;
+                results.push({
+                    status: errMsg.includes("timeout") ? "timeout" : "error",
+                    time_ms: Date.now() - queryStart,
+                });
+            }
+        });
+        await Promise.allSettled(promises);
+        const totalTime = Date.now() - startTime;
+        const successCount = results.filter((r) => r.status === "success").length;
+        const refusedCount = results.filter((r) => r.status === "refused").length;
+        const timeoutCount = results.filter((r) => r.status === "timeout").length;
+        const errorCount = results.filter((r) => r.status === "error").length;
+        const avgResponseTime = results.length > 0
+            ? parseFloat((results.reduce((s, r) => s + r.time_ms, 0) / results.length).toFixed(1))
+            : 0;
+        const rrlDetected = refusedCount > 0 || timeoutCount > queryCount * 0.3;
+        const findings = [];
+        if (rrlDetected) {
+            findings.push("Rate limiting detected: server actively limits response rate");
+            if (refusedCount > 0)
+                findings.push(`${refusedCount}/${queryCount} queries received REFUSED response`);
+            if (timeoutCount > 0)
+                findings.push(`${timeoutCount}/${queryCount} queries timed out (possible drop)`);
+        }
+        else {
+            findings.push("WARNING: No rate limiting detected. Server responds to all burst queries.");
+            findings.push("Remediation: Enable Response Rate Limiting (RRL) to mitigate amplification attacks");
+        }
+        return json({
+            nameserver,
+            queries_sent: queryCount,
+            successful: successCount,
+            refused: refusedCount,
+            timed_out: timeoutCount,
+            errors: errorCount,
+            total_time_ms: totalTime,
+            avg_response_time_ms: avgResponseTime,
+            rrl_detected: rrlDetected,
+            findings,
+        });
+    },
+};
+// ─── Tool 4: infra_software_cve ───
+const infraSoftwareCve = {
+    name: "infra_software_cve",
+    description: "Fingerprint DNS server software via CHAOS class version.bind TXT query and map to known CVEs. Identifies BIND, PowerDNS, Unbound, NSD, and Knot DNS versions.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to fingerprint"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        const versionBind = await sendChaosQuery(nameserver, "version.bind");
+        const versionServer = await sendChaosQuery(nameserver, "version.server");
+        const hostnameBind = await sendChaosQuery(nameserver, "hostname.bind");
+        const versionString = versionBind ?? versionServer ?? null;
+        const hostname = hostnameBind ?? null;
+        const findings = [];
+        let software = null;
+        let version = null;
+        let cves = [];
+        if (versionString) {
+            const parsed = parseVersionString(versionString);
+            if (parsed) {
+                software = parsed.software;
+                version = parsed.version;
+                cves = lookupCves(software, version);
+                if (cves.length > 0) {
+                    findings.push(`CRITICAL: ${software} ${version} has ${cves.length} known CVE(s): ${cves.join(", ")}`);
+                    findings.push("Remediation: Update DNS software to the latest stable version");
+                }
+                else {
+                    findings.push(`INFO: ${software} ${version} — no known CVEs matched in our database`);
+                }
+            }
+            else {
+                findings.push(`INFO: Version string detected but not recognized: "${versionString}"`);
+            }
+            findings.push("WARNING: CHAOS class version disclosure is enabled. Consider disabling it to reduce fingerprinting surface.");
+            findings.push("Remediation: In BIND add 'version none;' to options block");
+        }
+        else {
+            findings.push("OK: Server does not disclose version information via CHAOS class queries");
+        }
+        return json({
+            nameserver,
+            version_bind: versionBind,
+            version_server: versionServer,
+            hostname_bind: hostname,
+            software,
+            version,
+            known_cves: cves,
+            findings,
+        });
+    },
+};
+// ─── Tool 5: infra_edns_compliance ───
+const infraEdnsCompliance = {
+    name: "infra_edns_compliance",
+    description: "Test EDNS0 compliance of a DNS nameserver. Checks EDNS version, UDP buffer size, DO (DNSSEC OK) flag, and NSID option. Flags issues like missing EDNS, small buffer size, or no DNSSEC support.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        try {
+            const result = await queryRaw("example.com", "A", nameserver, 53, { rd: true, dnssec: true });
+            let ednsFound = false;
+            let ednsVersion = null;
+            let udpBufferSize = null;
+            let doFlag = false;
+            let nsid = null;
+            const optionCodes = [];
+            for (const add of result.additionals) {
+                if (add.type === "OPT") {
+                    ednsFound = true;
+                    ednsVersion = add.version ?? 0;
+                    udpBufferSize = add.udpPayloadSize ?? null;
+                    doFlag = !!(add.flags & dnsPacket.DNSSEC_OK);
+                    const options = add.options ?? [];
+                    for (const opt of options) {
+                        optionCodes.push(opt.code?.toString() ?? opt.type ?? "unknown");
+                        if (opt.code === 3 || opt.type === "NSID") {
+                            nsid = Buffer.isBuffer(opt.data) ? opt.data.toString("utf-8") : String(opt.data ?? "");
+                        }
+                    }
+                }
+            }
+            const findings = [];
+            if (!ednsFound) {
+                findings.push("CRITICAL: Server does not support EDNS0. This breaks modern DNS functionality.");
+                findings.push("Impact: No DNSSEC, limited UDP response size (512 bytes), no DNS cookies");
+            }
+            else {
+                findings.push(`OK: EDNS0 supported (version ${ednsVersion})`);
+                if (udpBufferSize !== null && udpBufferSize < 1232) {
+                    findings.push(`WARNING: UDP buffer size (${udpBufferSize}) below recommended minimum of 1232 bytes`);
+                    findings.push("Impact: May cause fragmentation issues. RFC 6891 recommends >= 1232 bytes.");
+                }
+                else if (udpBufferSize !== null) {
+                    findings.push(`OK: UDP buffer size ${udpBufferSize} bytes`);
+                }
+                if (!doFlag) {
+                    findings.push("WARNING: DNSSEC OK (DO) flag not set in response — server may not support DNSSEC");
+                }
+                else {
+                    findings.push("OK: DNSSEC OK (DO) flag present");
+                }
+                if (nsid) {
+                    findings.push(`INFO: NSID present: "${nsid}" (useful for debugging, but may disclose server identity)`);
+                }
+            }
+            return json({
+                nameserver,
+                edns_supported: ednsFound,
+                edns_version: ednsVersion,
+                udp_buffer_size: udpBufferSize,
+                dnssec_ok_flag: doFlag,
+                nsid,
+                option_codes: optionCodes,
+                authenticated_data: result.flags.authenticatedData,
+                findings,
+            });
+        }
+        catch (err) {
+            return json({
+                nameserver,
+                edns_supported: false,
+                error: err.message,
+                findings: ["Could not test EDNS compliance (server may be unreachable)"],
+            });
+        }
+    },
+};
+// ─── Tool 6: infra_tcp_fallback ───
+const infraTcpFallback = {
+    name: "infra_tcp_fallback",
+    description: "Test if a DNS nameserver supports TCP fallback for large responses. Checks the TC (truncated) flag on UDP responses and verifies TCP port 53 connectivity. DNS over TCP is required by RFC 7766.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        let udpWorks = false;
+        let tcpWorks = false;
+        let truncatedFlag = false;
+        // Test UDP first
+        try {
+            const udpResult = await queryRaw("example.com", "A", nameserver, 53, { rd: true });
+            udpWorks = true;
+            truncatedFlag = udpResult.flags.truncated;
+        }
+        catch {
+            // UDP failed
+        }
+        // Test TCP
+        try {
+            const tcpAnswers = await queryTcp("example.com", "A", nameserver, 53);
+            tcpWorks = tcpAnswers.length >= 0; // Even empty is OK — connection succeeded
+            tcpWorks = true;
+        }
+        catch {
+            // TCP failed
+        }
+        const findings = [];
+        if (!udpWorks && !tcpWorks) {
+            findings.push("CRITICAL: Server does not respond on either UDP or TCP port 53");
+        }
+        else if (udpWorks && !tcpWorks) {
+            findings.push("HIGH: TCP port 53 is blocked or not supported");
+            findings.push("Impact: Large DNS responses (>512 bytes) cannot be delivered. DNSSEC, DKIM, and large TXT records may fail.");
+            findings.push("Remediation: Ensure TCP port 53 is open on the nameserver (required by RFC 7766)");
+        }
+        else if (!udpWorks && tcpWorks) {
+            findings.push("WARNING: UDP port 53 not responding, but TCP works");
+            findings.push("Impact: Most DNS clients try UDP first — performance degradation expected");
+        }
+        else {
+            findings.push("OK: Both UDP and TCP port 53 are operational");
+        }
+        if (truncatedFlag) {
+            findings.push("INFO: TC (truncated) flag was set on UDP response, indicating large response that needs TCP");
+        }
+        return json({
+            nameserver,
+            udp_operational: udpWorks,
+            tcp_operational: tcpWorks,
+            truncated_flag: truncatedFlag,
+            findings,
+        });
+    },
+};
+// ─── Tool 7: infra_dns_cookie ───
+const infraDnsCookie = {
+    name: "infra_dns_cookie",
+    description: "Test DNS Cookie support (RFC 7873) on a nameserver. DNS cookies protect against cache poisoning, off-path attacks, and amplification. Sends a query with a client cookie and checks if the server returns a server cookie.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        try {
+            // Generate an 8-byte random client cookie
+            const clientCookie = Buffer.alloc(8);
+            for (let i = 0; i < 8; i++)
+                clientCookie[i] = Math.floor(Math.random() * 256);
+            const buf = dnsPacket.encode({
+                type: "query",
+                id: Math.floor(Math.random() * 65535),
+                flags: dnsPacket.RECURSION_DESIRED,
+                questions: [{ type: "A", name: "example.com", class: "IN" }],
+                additionals: [
+                    {
+                        type: "OPT",
+                        name: ".",
+                        udpPayloadSize: 4096,
+                        flags: 0,
+                        options: [
+                            {
+                                code: 10, // COOKIE option code
+                                data: clientCookie,
+                            },
+                        ],
+                    },
+                ],
+            });
+            const response = await new Promise((resolve, reject) => {
+                const socket = dgram.createSocket("udp4");
+                const timer = setTimeout(() => {
+                    socket.close();
+                    reject(new Error("Timeout waiting for DNS response"));
+                }, 5000);
+                socket.on("message", (msg) => {
+                    clearTimeout(timer);
+                    socket.close();
+                    resolve(msg);
+                });
+                socket.on("error", (err) => {
+                    clearTimeout(timer);
+                    socket.close();
+                    reject(err);
+                });
+                socket.send(buf, 0, buf.length, 53, nameserver);
+            });
+            const decoded = dnsPacket.decode(response);
+            let cookieSupported = false;
+            let serverCookieLength = 0;
+            for (const add of decoded.additionals ?? []) {
+                if (add.type === "OPT") {
+                    const options = add.options ?? [];
+                    for (const opt of options) {
+                        if (opt.code === 10) {
+                            cookieSupported = true;
+                            const cookieData = opt.data;
+                            // Full cookie: 8 bytes client + 8-32 bytes server
+                            serverCookieLength = cookieData.length > 8 ? cookieData.length - 8 : 0;
+                        }
+                    }
+                }
+            }
+            const findings = [];
+            if (cookieSupported && serverCookieLength > 0) {
+                findings.push("OK: DNS Cookie support detected. Server returned a server cookie.");
+                findings.push(`Server cookie length: ${serverCookieLength} bytes`);
+            }
+            else if (cookieSupported && serverCookieLength === 0) {
+                findings.push("WARNING: Server echoed cookie option but did not include a server cookie");
+            }
+            else {
+                findings.push("WARNING: DNS Cookie not supported by this server");
+                findings.push("Impact: Vulnerable to off-path cache poisoning and forgery attacks (RFC 7873)");
+                findings.push("Remediation: Enable DNS Cookie support in server configuration");
+            }
+            return json({
+                nameserver,
+                cookie_supported: cookieSupported,
+                server_cookie_present: serverCookieLength > 0,
+                server_cookie_length: serverCookieLength,
+                client_cookie_hex: clientCookie.toString("hex"),
+                findings,
+            });
+        }
+        catch (err) {
+            return json({
+                nameserver,
+                cookie_supported: false,
+                error: err.message,
+                findings: ["Could not test DNS Cookie support (server may be unreachable)"],
+            });
+        }
+    },
+};
+// ─── Tool 8: infra_axfr_protection ───
+const infraAxfrProtection = {
+    name: "infra_axfr_protection",
+    description: "Test if a DNS nameserver allows unauthorized AXFR (zone transfer) for a domain. Successful zone transfer is a critical misconfiguration that exposes all DNS records to attackers.",
+    schema: {
+        nameserver: z
+            .string()
+            .describe("IP address or hostname of the DNS nameserver to test"),
+        domain: z
+            .string()
+            .describe("Domain name to attempt zone transfer for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const nameserver = args.nameserver;
+        const domain = args.domain;
+        try {
+            const answers = await queryTcp(domain, "AXFR", nameserver, 53);
+            const recordTypes = new Map();
+            for (const answer of answers) {
+                const t = answer.type ?? "UNKNOWN";
+                recordTypes.set(t, (recordTypes.get(t) ?? 0) + 1);
+            }
+            const findings = [];
+            if (answers.length > 0) {
+                findings.push(`CRITICAL: Zone transfer (AXFR) succeeded! ${answers.length} records exposed.`);
+                findings.push("Impact: Full zone data leaked — subdomains, mail servers, internal hosts all visible to attackers");
+                findings.push("Remediation: Restrict AXFR to authorized secondary nameservers using allow-transfer ACLs");
+                const typeBreakdown = Array.from(recordTypes.entries())
+                    .map(([type, count]) => `${type}: ${count}`)
+                    .join(", ");
+                findings.push(`Record types exposed: ${typeBreakdown}`);
+            }
+            else {
+                findings.push("OK: Zone transfer (AXFR) was refused or returned no records");
+            }
+            return json({
+                nameserver,
+                domain,
+                axfr_allowed: answers.length > 0,
+                records_exposed: answers.length,
+                record_type_breakdown: Object.fromEntries(recordTypes),
+                sample_records: answers.slice(0, 20).map((a) => ({
+                    name: a.name,
+                    type: a.type,
+                    data: a.data ?? a.address ?? a.target ?? String(a),
+                })),
+                findings,
+            });
+        }
+        catch (err) {
+            const errMsg = err.message;
+            const isRefused = errMsg.includes("REFUSED") || errMsg.includes("refused") || errMsg.includes("ECONNRESET");
+            return json({
+                nameserver,
+                domain,
+                axfr_allowed: false,
+                records_exposed: 0,
+                error: errMsg,
+                findings: isRefused
+                    ? ["OK: Zone transfer was explicitly refused by the server"]
+                    : [`Could not complete AXFR test: ${errMsg}`],
+            });
+        }
+    },
+};
+// ─── Tool 9: infra_ns_diversity ───
+const infraNsDiversity = {
+    name: "infra_ns_diversity",
+    description: "Analyze nameserver diversity for a domain. Checks if NS records resolve to IPs in different ASNs, different /24 subnets, and different providers. Single point of failure = high risk if one provider goes down.",
+    schema: {
+        domain: z
+            .string()
+            .describe("Domain name to check NS diversity for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        try {
+            const resolver = createResolver();
+            const nsRecords = await resolver.resolveNs(domain);
+            if (nsRecords.length === 0) {
+                return json({
+                    domain,
+                    ns_count: 0,
+                    findings: ["CRITICAL: No NS records found for this domain"],
+                });
+            }
+            const nsDetails = [];
+            for (const ns of nsRecords) {
+                let ips = [];
+                try {
+                    ips = await resolver.resolve4(ns);
+                }
+                catch {
+                    // Could not resolve NS hostname
+                }
+                let asn = null;
+                let asnName = null;
+                let subnet24 = null;
+                if (ips.length > 0) {
+                    const ip = ips[0];
+                    subnet24 = ip.split(".").slice(0, 3).join(".") + ".0/24";
+                    // ASN lookup via Cymru DNS
+                    try {
+                        const reversed = ip.split(".").reverse().join(".");
+                        const asnLookup = `${reversed}.origin.asn.cymru.com`;
+                        const asnResolver = createResolver("8.8.8.8");
+                        const txtRecords = await asnResolver.resolveTxt(asnLookup);
+                        if (txtRecords.length > 0) {
+                            const parts = txtRecords[0].join("").split("|").map((s) => s.trim());
+                            asn = parts[0] ?? null;
+                            // Get ASN name
+                            if (asn) {
+                                try {
+                                    const asnNameRecords = await asnResolver.resolveTxt(`AS${asn}.asn.cymru.com`);
+                                    if (asnNameRecords.length > 0) {
+                                        const nameParts = asnNameRecords[0].join("").split("|").map((s) => s.trim());
+                                        asnName = nameParts[nameParts.length - 1] ?? null;
+                                    }
+                                }
+                                catch {
+                                    // ASN name lookup failed
+                                }
+                            }
+                        }
+                    }
+                    catch {
+                        // ASN lookup failed
+                    }
+                }
+                nsDetails.push({
+                    hostname: ns,
+                    ips,
+                    asn,
+                    asn_name: asnName,
+                    subnet_24: subnet24,
+                });
+            }
+            // Analysis
+            const uniqueAsns = new Set(nsDetails.map((n) => n.asn).filter(Boolean));
+            const uniqueSubnets = new Set(nsDetails.map((n) => n.subnet_24).filter(Boolean));
+            const allSameAsn = uniqueAsns.size <= 1 && nsDetails.every((n) => n.asn !== null);
+            const allSameSubnet = uniqueSubnets.size <= 1 && nsDetails.every((n) => n.subnet_24 !== null);
+            const findings = [];
+            if (nsRecords.length < 2) {
+                findings.push("CRITICAL: Only 1 nameserver — no redundancy at all");
+            }
+            else if (nsRecords.length === 2) {
+                findings.push("WARNING: Only 2 nameservers — minimal redundancy (recommend 3+)");
+            }
+            else {
+                findings.push(`OK: ${nsRecords.length} nameservers configured`);
+            }
+            if (allSameAsn && uniqueAsns.size === 1) {
+                const asnVal = [...uniqueAsns][0];
+                const asnNameVal = nsDetails.find((n) => n.asn === asnVal)?.asn_name ?? "unknown";
+                findings.push(`HIGH: All nameservers in the same ASN (AS${asnVal} — ${asnNameVal}). Single provider failure = total DNS outage.`);
+                findings.push("Remediation: Use nameservers from at least 2 different providers/ASNs");
+            }
+            else if (uniqueAsns.size > 1) {
+                findings.push(`OK: Nameservers distributed across ${uniqueAsns.size} ASN(s)`);
+            }
+            if (allSameSubnet && uniqueSubnets.size === 1) {
+                findings.push(`HIGH: All nameservers in the same /24 subnet (${[...uniqueSubnets][0]}). Network-level failure = total DNS outage.`);
+            }
+            else if (uniqueSubnets.size > 1) {
+                findings.push(`OK: Nameservers distributed across ${uniqueSubnets.size} subnet(s)`);
+            }
+            return json({
+                domain,
+                ns_count: nsRecords.length,
+                nameservers: nsDetails,
+                unique_asns: [...uniqueAsns],
+                unique_subnets: [...uniqueSubnets],
+                all_same_asn: allSameAsn,
+                all_same_subnet: allSameSubnet,
+                diversity_score: Math.min(100, (uniqueAsns.size * 30) + (uniqueSubnets.size * 20) + (Math.min(nsRecords.length, 4) * 10)),
+                findings,
+            });
+        }
+        catch (err) {
+            return json({
+                domain,
+                error: err.message,
+                findings: [`Could not analyze NS diversity: ${err.message}`],
+            });
+        }
+    },
+};
+// ─── Export ───
+export const infraTools = [
+    infraOpenResolver,
+    infraAmplification,
+    infraRateLimiting,
+    infraSoftwareCve,
+    infraEdnsCompliance,
+    infraTcpFallback,
+    infraDnsCookie,
+    infraAxfrProtection,
+    infraNsDiversity,
+];
+//# sourceMappingURL=index.js.map