Finish verion 0.1.0

2026-01-16 13:27:07 +08:00
parent 240107e00f
commit b63bcd405b
17 changed files with 4788 additions and 26 deletions
--- a/docs/dns_poisoning_design.md
+++ b/docs/dns_poisoning_design.md
@@ -0,0 +1,84 @@
+# DNS Poisoning Detection Design
+
+This document summarizes the current implementation approach for detecting DNS poisoning in active probing, and the planned design for passive methods.
+
+## Active probing (current implementation)
+
+### Overview
+- Active probing compares answers from multiple resolvers for the same domain and record type.
+- The current CLI command is `dns detect <domain>`.
+- The current implementation focuses on deterministic, best-effort heuristics and avoids OS-specific parsing.
+
+### Inputs
+- Domain name.
+- Resolver list: either user-provided via `--servers` or default public resolvers.
+- Transport: UDP/TCP/DoT/DoH.
+- Optional SOCKS5 proxy for DoH queries (`--socks5`).
+- Repeat count: `--repeat` (>= 1).
+- Timeout: `--timeout-ms`.
+
+### Query flow
+1. For each resolver and each repeat, issue a DNS A query using `hickory-resolver`.
+2. Collect a `DnsQueryReport` that includes:
+   - `domain`, `record_type`, `transport`, `server`, `server_name`, `rcode`, `answers`, `duration_ms`.
+3. Enrich results in the CLI with GeoIP:
+   - `server_geoip` based on the resolver IP.
+   - Per-answer GeoIP when answer data is an IP (A/AAAA).
+
+### Current heuristics
+The detect verdict is derived from the following checks across all results:
+- **RCODE divergence**: mismatch in response code across resolvers.
+- **Answer divergence**: different answer sets across resolvers.
+- **Private/reserved answers**: any A/AAAA in private/reserved space.
+- **TTL variance**: wide TTL span (currently > 3600s).
+
+### Verdict mapping
+- `clean`: no evidence found.
+- `inconclusive`: only one evidence signal or no results.
+- `suspicious`: two or more evidence signals.
+
+### Output
+- JSON output returns a list of per-resolver reports plus evidence.
+- Human output shows verdict, evidence, and per-resolver summaries with GeoIP.
+- Reports also include transport, server name (for DoT/DoH), and proxy (if used).
+
+### Rationale and limitations
+- This approach is deterministic and does not rely on parsing OS tools.
+- False positives may occur due to legitimate geo-load balancing or CDN behavior.
+- DNSSEC validation is not currently used in detection logic.
+
+## Passive methods (planned design)
+
+### Goals
+- Observe DNS responses and correlate with active results.
+- Identify anomalies without injecting traffic.
+
+### Passive data sources (feature gated)
+- Packet capture via `pcap` or `pnet` (root/admin privileges needed).
+- Optional system resolver logs if available (platform-specific; best-effort).
+
+### Planned pipeline
+1. Capture DNS responses (UDP/TCP, port 53; optionally DoH/DoT if visible).
+2. Parse responses into normalized records:
+   - `domain`, `record_type`, `rcode`, `answers`, `ttl`, `server_ip`.
+3. Maintain short-term rolling windows (time-bounded) to:
+   - detect sudden shifts in answers
+   - detect private/reserved answers for public domains
+   - detect TTL anomalies compared to historical baseline
+
+### Planned heuristics
+- **Answer churn**: frequent changes in answer sets beyond normal CDN variance.
+- **Resolver mismatch**: passive answers conflict with known public resolver responses.
+- **Suspicious IP ranges**: private/reserved or local ISP blocks where not expected.
+- **Low TTL bursts**: sudden TTL drops that persist for short windows.
+
+### Output (planned)
+- Passive summaries include:
+  - top domains observed
+  - divergence counts
+  - suspicious answer summaries
+  - optional GeoIP enrichment for answer IPs and resolver IPs
+
+### Privacy and safety notes
+- Passive capture should be explicit and opt-in.
+- Store minimal metadata and avoid payload logging beyond DNS fields.
--- a/docs/requirement_docs.md
+++ b/docs/requirement_docs.md
@@ -767,6 +767,11 @@ GeoIP:
 * `NETTOOL_GEOIP_COUNTRY_DB`
 * `NETTOOL_GEOIP_ASN_DB`

+Lookup order:
+1) Environment variable path
+2) `data/` next to the CLI binary
+3) `data/` in the current working directory
+
 Logging:

 * `NETTOOL_LOG_LEVEL`
--- a/docs/status.md
+++ b/docs/status.md
@@ -45,9 +45,22 @@ This document tracks the planned roadmap alongside the current implementation st
 - Platform `neigh list` best-effort parsing (Linux `/proc/net/arp`, Windows `arp -a`).
 - Platform `cert roots` implementation via native trust store parsing.
 - CLI commands for `ports listen/who`, `neigh list`, and `cert roots`.
+- Process name/path enrichment for `ports listen/who` (Linux procfs, Windows tasklist/wmic).
+- `wtfnet-geoip` crate with local mmdb lookup and CLI commands (`geoip`, `geoip status`).
+- `wtfnet-probe` crate with ping/tcping and best-effort TCP trace, plus CLI commands.
+- ICMP/UDP traceroute support (IPv4) via pnet.
+- Probe outputs now include GeoIP by default with `--no-geoip` disable flags.
+- UDP traceroute now supports IPv6 on Unix and includes per-hop RTT.
+- `wtfnet-dns` crate with query/detect support wired to CLI.
+- DNS query/detect output includes GeoIP enrichment for server and answer IPs.
+- DNS query/detect supports DoT and DoH transports.
+- DNS query/detect supports SOCKS5 proxying for DoH.
+- DNS watch (passive, best-effort) implemented.
+- Calc subcrate with subnet/contains/overlap/summarize wired to CLI.

 ### In progress
- None.
+- v0.2 features: http, tls, discover, diag.

 ### Next
- Start additional platform/feature crates per dependency map.
+- Complete remaining v0.2 crates/commands (http/tls/discover/diag/dns watch).
+- Add v0.2 tests (dns detect, calc, basic http/tls smoke).