fixes multiple dns templates with false postive results

dns/azure-takeover-detection.yaml

@@ -24,6 +24,7 @@ dns:
     matchers-condition: and
     matchers:
       - type: word
+        part: answer
         words:
           - "azure-api.net"
           - "azure-mobile.net"
@@ -50,7 +51,6 @@ dns:
           - "NXDOMAIN"
 
     extractors:
-      - type: regex
-        group: 1
-        regex:
-          - "IN\tCNAME\t(.+)"
+      - type: dsl
+        dsl:
+          - cname

dns/caa-fingerprint.yaml

@@ -18,9 +18,9 @@ dns:
     type: CAA
 
     matchers:
-      - type: word
-        words:
-          - "IN\tCAA"
+      - type: regex
+        regex:
+          - "IN\tCAA\\t(.+)$"
 
     extractors:
       - type: regex

dns/detect-dangling-cname.yaml

@@ -26,12 +26,12 @@ dns:
         words:
           - "NXDOMAIN"
 
-      - type: word
-        words:
-          - "IN\tCNAME"
-
-    extractors:
       - type: regex
-        group: 1
+        part: answer
         regex:
-          - "IN\tCNAME\t(.+)"
+          - "IN\tCNAME\\t(.+)$"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - cname

dns/dmarc-detect.yaml

@@ -21,6 +21,12 @@ dns:
   - name: "_dmarc.{{FQDN}}"
     type: TXT
 
+    matchers:
+      - type: regex
+        part: answer
+        regex:
+          - "IN\tTXT\\t(.+)$"
+
     extractors:
       - type: regex
         group: 1

dns/dns-saas-service-detection.yaml

@@ -25,12 +25,14 @@ dns:
     matchers-condition: or
     matchers:
       - type: word
+        part: answer
         name: ms-office
         words:
           - outlook.com
           - office.com
 
       - type: word
+        part: answer
         name: azure
         words:
           - "azure-api.net"
@@ -56,23 +58,26 @@ dns:
           - "trafficmanager.net"
 
       - type: word
+        part: answer
         name: zendesk
         words:
           - "zendesk.com"
 
       - type: word
+        part: answer
         name: announcekit
         words:
           - "cname.announcekit.app"
 
       - type: word
+        part: answer
         name: wix
         words:
           - "wixdns.net"
 
       - type: word
+        part: answer
         name: akamai-cdn
-        condition: or
         words:
           - akadns.net
           - akagtm.org
@@ -96,6 +101,7 @@ dns:
           - edgesuite.net
 
       - type: word
+        part: answer
         name: cloudflare-cdn
         words:
           - cloudflare.net
@@ -117,53 +123,62 @@ dns:
           - sn-cloudflare.com
 
       - type: word
+        part: answer
         name: amazon-cloudfront
         words:
           - cloudfront.net
 
       - type: word
+        part: answer
         name: salesforce
         words:
           - salesforce.com
           - siteforce.com
           - force.com
 
       - type: word
+        part: answer
         name: amazon-aws
         words:
           - amazonaws.com
           - elasticbeanstalk.com
           - awsglobalaccelerator.com
 
       - type: word
+        part: answer
         name: fastly-cdn
         words:
           - fastly.net
 
       - type: word
+        part: answer
         name: netlify
         words:
           - netlify.app
           - netlify.com
           - netlifyglobalcdn.com
 
       - type: word
+        part: answer
         name: vercel
         words:
           - vercel.app
 
       - type: word
+        part: answer
         name: sendgrid
         words:
           - sendgrid.net
           - sendgrid.com
 
       - type: word
+        part: answer
         name: qualtrics
         words:
           - qualtrics.com
 
       - type: word
+        part: answer
         name: heroku
         words:
           - herokuapp.com
@@ -173,44 +188,52 @@ dns:
           - herokuspace.com
 
       - type: word
+        part: answer
         name: gitlab
         words:
           - gitlab.com
           - gitlab.io
 
       - type: word
+        part: answer
         name: perforce-akana
         words:
           - akana.com
           - apiportal.akana.com
 
       - type: word
+        part: answer
         name: skilljar
         words:
           - skilljarapp.com
 
       - type: word
+        part: answer
         name: datagrail
         words:
           - datagrail.io
 
       - type: word
+        part: answer
         name: platform.sh
         words:
           - platform.sh
 
       - type: word
+        part: answer
         name: folloze
         words:
           - folloze.com
 
       - type: word
+        part: answer
         name: pendo-receptive
         words:
           - receptive.io
           - pendo.io
 
       - type: word
+        part: answer
         name: discourse
         words:
           - bydiscourse.com
@@ -220,6 +243,7 @@ dns:
           - hosted-by-discourse.com
 
       - type: word
+        part: answer
         name: adobe-marketo
         words:
           - marketo.com
@@ -228,38 +252,45 @@ dns:
           - mktossl.com
           - mktoweb.com
 
-      - type: regex
+      - type: word
+        part: answer
         name: adobe-marketo
           - 'mkto-.{5,8}\.com'
 
       - type: word
+        part: answer
         name: adobe-marketo
         words:
           - marketo.com
 
       - type: word
+        part: answer
         name: rock-content
         words:
           - postclickmarketing.com
           - rockcontent.com
           - rockstage.io
 
       - type: word
+        part: answer
         name: rocketlane
         words:
           - rocketlane.com
 
       - type: word
+        part: answer
         name: webflow
         words:
           - proxy-ssl.webflow.com
 
       - type: word
+        part: answer
         name: stacker-hq
         words:
           - stacker.app
 
       - type: word
+        part: answer
         name: hubspot
         words:
           - hs-analytics.net
@@ -285,12 +316,14 @@ dns:
           - usemessages.com
 
       - type: word
+        part: answer
         name: gitbook
         words:
           - gitbook.com
           - gitbook.io
 
       - type: word
+        part: answer
         name: google-firebase
         words:
           - fcm.googleapis.com
@@ -311,6 +344,7 @@ dns:
           - firebaseremoteconfig.googleapis.com
 
       - type: word
+        part: answer
         name: zendesk
         words:
           - zdassets.com
@@ -319,12 +353,14 @@ dns:
           - zopim.com
 
       - type: word
+        part: answer
         name: imperva
         words:
           - incapdns.net
           - incapsula.com
 
       - type: word
+        part: answer
         name: proofpoint
         words:
           - infoprtct.com
@@ -334,13 +370,15 @@ dns:
           - proofpoint.com
 
       - type: word
+        part: answer
         name: q4-investor-relations
         words:
           - q4inc.com
           - q4ir.com
           - q4web.com
 
       - type: word
+        part: answer
         name: google-hosted
         words:
           - appspot.com
@@ -354,38 +392,45 @@ dns:
           - run.app
 
       - type: word
+        part: answer
         name: wp-engine
         words:
           - wpengine.com
 
       - type: word
+        part: answer
         name: github
         words:
           - github.com
           - github.io
           - githubusercontent.com
 
       - type: word
+        part: answer
         name: ghost
         words:
           - ghost.io
 
       - type: word
+        part: answer
         name: digital-ocean
         words:
           - ondigitalocean.app
 
       - type: word
+        part: answer
         name: typedream
         words:
           - ontypedream.com
 
       - type: word
+        part: answer
         name: oracle-eloqua-marketing
         words:
           - hs.eloqua.com
 
       - type: regex
+        part: answer
         regex:
-          - "IN\tCNAME"
-          - "IN\\s*CNAME"
+          - "IN\tCNAME\\t(.+)$"
+          - "IN\\s*CNAME\\t(.+)$"