Created domain typosquatting checker

Apps/TyposquattingDetector/Config.cs

@@ -0,0 +1,107 @@
+/*
+Technitium DNS Server
+Copyright (C) 2025  Shreyas Zare ([email protected])
+Copyright (C) 2025  Zafer Balkan ([email protected])
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.ComponentModel.DataAnnotations;
+using System.IO;
+using System.Text.Json.Serialization;
+using System.Text.RegularExpressions;
+
+namespace TyposquattingDetector
+{
+    public sealed partial class App
+    {
+        private class Config
+        {
+            [JsonPropertyName("addExtendedDnsError")]
+            public bool AddExtendedDnsError { get; set; } = true;
+
+            [JsonPropertyName("allowTxtBlockingReport")]
+            public bool AllowTxtBlockingReport { get; set; } = true;
+
+            [JsonPropertyName("disableTlsValidation")]
+            public bool DisableTlsValidation { get; set; } = false;
+
+            [JsonPropertyName("enable")]
+            public bool Enable { get; set; } = true;
+
+            [JsonPropertyName("fuzzyMatchThreshold")]
+            [Range(75, 90, ErrorMessage = "fuzzyMatchThreshold must be between 75 and 90.")]
+            [Required(ErrorMessage = "fuzzyMatchThreshold is a required configuration property. The lower threshold means more false positives.")]
+            public int FuzzyMatchThreshold { get; set; } = 75;
+
+            [JsonPropertyName("customList")]
+            [RegularExpression("^(?:[a-zA-Z]:\\\\(?:[^\\\\\\/:*?\"<>|\\r\\n]+\\\\)*[^\\\\\\/:*?\"<>|\\r\\n]*|(?:\\/[^\\/\\0]+)+\\/?)$", ErrorMessage = "customList must be a valid file path with one domain per line.")]
+            [CustomValidation(typeof(FileContentValidator), nameof(FileContentValidator.ValidateDomainFile))]
+            public string? Path { get; set; }
+
+            [JsonPropertyName("updateInterval")]
+            [Required(ErrorMessage = "updateInterval is a required configuration property.")]
+            [RegularExpression(@"^\d+[mhdw]$", ErrorMessage = "Invalid interval format. Use a number followed by 'm', 'h', or 'd' (e.g., '90m', '2h', '7d').", MatchTimeoutInMilliseconds = 3000)]
+            public string UpdateInterval { get; set; } = "30d";
+        }
+
+        public partial class FileContentValidator
+        {
+            // Optimized Regex: Compiled for performance during "Happy Path" scans
+            private static readonly Regex DomainRegex = FilePathPattern();
+
+            public static ValidationResult? ValidateDomainFile(string? path, ValidationContext context)
+            {
+                // 1. If path is null/empty, we assume validation is not required here
+                // (Use [Required] on the property if you want to force a path to be provided)
+                if (string.IsNullOrWhiteSpace(path)) return ValidationResult.Success;
+
+                // 2. Existence Check
+                if (!File.Exists(path))
+                    return new ValidationResult($"File not found: {path}");
+
+                try
+                {
+                    // 3. Stream through lines
+                    // If the file is empty, this loop is simply skipped
+                    foreach (string line in File.ReadLines(path))
+                    {
+                        string trimmedLine = line.Trim();
+
+                        // Skip truly empty lines (whitespace only)
+                        if (string.IsNullOrEmpty(trimmedLine)) continue;
+
+                        // 4. Fail-Fast Logic
+                        // If any content exists, it MUST follow the domain rules
+                        if (trimmedLine.Contains('*') || !DomainRegex.IsMatch(trimmedLine))
+                        {
+                            return new ValidationResult($"Invalid content: '{trimmedLine}'. Wildcards are not allowed.");
+                        }
+                    }
+                }
+                catch (IOException ex)
+                {
+                    return new ValidationResult($"File access error: {ex.Message}");
+                }
+
+                // 5. Success Path
+                // Reached if the file was empty OR all lines passed validation
+                return ValidationResult.Success;
+            }
+
+            [GeneratedRegex(@"^(?!-)[A-Za-z0-9-]+([\-\.]{1}[a-z0-9]+)*\.[A-Za-z]{2,63}$", RegexOptions.IgnoreCase | RegexOptions.Compiled, "en-US")]
+            private static partial Regex FilePathPattern();
+        }
+    }
+}

Apps/TyposquattingDetector/README.md

@@ -0,0 +1,51 @@
+# Typosquatting Detector for Technitium DNS Server
+
+A DNS security plugin that detects and blocks look-alike domains associated with phishing and brand impersonation. The plugin evaluates similarity between queried domains and a high-reputation corpus and blocks near-miss variants before resolution.
+
+## Detection model
+
+The plugin builds a trusted corpus from the Majestic Million list plus an optional custom list. For each query it:
+
+1. Normalizes to the registrable domain using Public Suffix rules.
+2. Performs an O(1) Bloom filter check for known legitimate domains.
+3. Runs fuzzy similarity matching against length-adjacent candidates for unknown domains.
+
+Queries above the configured similarity threshold are classified as probable typosquats and blocked.
+
+## Enforcement behavior
+
+Suspicious domains receive an authoritative NXDOMAIN with SOA. Optional Extended DNS Error metadata and optional TXT blocking reports expose structured blocking details for logs and SIEM ingestion. Clean domains are not modified and resolve normally.
+
+## Configuration
+
+Example configuration:
+
+```json
+{
+  "enable": true,
+  "fuzzyMatchThreshold": 75,
+  "customList": "/path/to/custom-domains.txt",
+  "disableTlsValidation": false,
+  "updateInterval": "30d",
+  "allowTxtBlockingReport": true,
+  "addExtendedDnsError": true
+}
+```
+
+Key options
+
+* fuzzyMatchThreshold (75–90): main sensitivity control. Lower values detect more variants but increase false positives.
+* customList: one domain per line; add organization and brand domains you want treated as trusted.
+* updateInterval: controls when the Majestic list is reprocessed; rebuilds are skipped when the file hash is unchanged.
+* allowTxtBlockingReport / addExtendedDnsError: control operator visibility of blocking decisions.
+* disableTlsValidation: test or lab use only.
+
+## Deployment and risk considerations
+
+Start with a conservative threshold (85–90) in production and observe blocks before lowering. False positives are most likely for domains visually similar to major brands but legitimate or newly emerging services. Mitigations include raising the threshold or adding the domain to the custom list.
+
+This plugin is intended for recursive resolvers operated by security teams where DNS blocking is an accepted control point. Communicate expected behavior to users and support staff to avoid confusion when NXDOMAIN is enforcement rather than resolution failure.
+
+## Acknowledgements
+
+Uses [Majestic Million dataset](https://majestic.com/reports/majestic-million), [Nager Public Suffix parser](https://github.com/nager/Nager.PublicSuffix), [BloomFilter.NetCore](https://github.com/vla/BloomFilter.NetCore) and [FuzzySharp](https://github.com/JakeBayer/FuzzySharp) libraries, and the Technitium DNS Server app framework.