Skip to content

BlastDNS#3042

Open
TheTechromancer wants to merge 10 commits intodevfrom
blastdns
Open

BlastDNS#3042
TheTechromancer wants to merge 10 commits intodevfrom
blastdns

Conversation

@TheTechromancer
Copy link
Copy Markdown
Collaborator

@TheTechromancer TheTechromancer commented Apr 15, 2026
edited
Loading

Summary

Replace dnspython + the EngineClient/EngineServer subprocess architecture with blastdns, a Rust-backed async DNS client. DNS resolution now runs in Rust threads directly in the main process — no more subprocess IPC.

What changed

  • dns.py: DNSHelper no longer inherits from EngineClient. Wraps a blastdns.Client directly. Wildcard detection, dns_omit_queries, error tracking, and connectivity checks ported from engine.py.
  • helpers.py: extract_targets() and record_to_text() now delegate to Rust (record.extract_targets(), record.to_text()) instead of manually parsing rdata dicts in Python. TXT hostname extraction (SPF/DKIM) stays in Python.
  • engine.py, mock.py: Deleted. blastdns handles caching, retries, and mocking natively.
  • dnsresolve.py: resolve_raw_batch() replaced with resolve_multi_full() (one host, many rdtypes — resolved concurrently in Rust).
  • dnsbimi.py, dnstlsrpt.py, dnscaa.py: resolve_raw() replaced with resolve_full(). CAA module reads structured rdata directly instead of regex-parsing zone-format text.
  • Tests: Rewritten for the new API. Mock data uses proper zone-file format. custom_lookup_fn replaced with blastdns regex: mock patterns.
  • pyproject.toml: Added blastdns dependency.

Deleted

  • bbot/core/helpers/dns/engine.py (~660 lines)
  • bbot/core/helpers/dns/mock.py (~75 lines)

@TheTechromancer TheTechromancer self-assigned this Apr 15, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026
edited
Loading

Performance Benchmark Report

Failed to generate detailed benchmark comparison

The benchmark comparison failed to run. This might be because:

  • Benchmark tests don't exist on the base branch yet
  • Dependencies are missing
  • Test execution failed

Please check the workflow logs for details.

Benchmark artifacts may be available for download from the workflow run.

TheTechromancer and others added 4 commits April 15, 2026 16:33
@TheTechromancer
bump blastdns version, test wip
ad7c344
@liquidsec
Bump baddns to 2.1.0, pass blastdns client, MODERATE→MEDIUM
487833f 
- Update deps_pip and pyproject.toml to baddns~=2.1.0
- Pass self.scan.helpers.dns.blastdns as dns_client (was .resolver)
- Replace MODERATE confidence level with MEDIUM to match baddns 2.1.0
@liquidsec
Fix baddns_zone NSEC test for blastdns MockClient compatibility
f1cd3dd
@TheTechromancer
work on tests
e63a693
@TheTechromancer TheTechromancer changed the base branch from 3.0 to dev April 16, 2026 17:45
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 16, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 90.15544% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (e10a161) to head (e63a693).
⚠️ Report is 26 commits behind head on dev.

Files with missing lines Patch % Lines
bbot/core/helpers/dns/dns.py 84% 30 Missing ⚠️
bbot/modules/dnscaa.py 89% 3 Missing ⚠️
bbot/modules/internal/dnsresolve.py 79% 3 Missing ⚠️
bbot/modules/baddns.py 67% 2 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff           @@
##             dev   #3042    +/-   ##
======================================
- Coverage     91%     91%    -0%     
======================================
  Files        440     438     -2     
  Lines      37697   37174   -523     
======================================
- Hits       34116   33612   -504     
+ Misses      3581    3562    -19

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@TheTechromancer
Copy link
Copy Markdown
Collaborator Author

TheTechromancer commented Apr 16, 2026

This new implementation is fast, but one annoying bug is that due to the retry mechanism, black-holed / misconfigured DNS zones clog up the pipes and cause DNS resolution to slow to a crawl:

[DBUG]         - dnsresolve.handle_event(DNS_NAME("cbt-login-sg.wolf.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 23.8s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("dev-test-oss.wolf.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 20.5s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("label-studios.ugc.dev.gcp.hzn3.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 20.4s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("designs-22.preview.gcp.ugc-cs.captech.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 18.3s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("otel.dev.gcp.ugc-cs.captech.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 16.9s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("cbt-chat-sg.wolf.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 14.9s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("keycloak.luhernandez.gcp.msi.captech.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 14.7s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("console-storage-admin.msi.dev.aws.hzn3.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 13.7s:
[DBUG]         - dnsresolve.handle_event(DNS_NAME("content-reporting-api.int.gcp.ugc-cs.captech.ea.com", module=crt_db, tags={'subdomain', 'in-scope'})) running for 13.2s:

The obvious solution is to add more resolvers to your /etc/resolv.conf. But is there anything we can do to make this less bad?

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 16, 2026
View reviewed changes
Comment thread bbot/test/test_step_1/test_dns.py

# is_wildcard_domain reports the wildcard pool per parent
wildcard_domains = await scan.helpers.dns.is_wildcard_domain("asdf.test.evilcorp.com", ["A", "AAAA"])
assert "test.evilcorp.com" in wildcard_domains
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liquidsec liquidsec Awaiting requested review from liquidsec

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@TheTechromancer TheTechromancer

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TheTechromancer @github-advanced-security @liquidsec