On Fri, Nov 18, 2022 at 07:57:58PM +0800, 黄泸明 via Dnsmasq-discuss wrote: > Hi,
Hello, > Description:1、When dnsmasq received malformed dns request packets as > a DNS forwarder, it forwards the packets to the upstream name server > without proper verification.2、When the DNS forwarder iteratively > queries the malicious domain name server, it returns some malformed > dns packets, and dnsmasq returns the packet to the client without > proper verification, which will give the user a distrust or malicious > data. Other authoritative dns servers have done correct verification. > > Steps to reproduce: > > 1、Turn on a fake upstream name server, it will only change the > flag of the received DNS packet to 0x8180 and return it to the packet > sender(dnsmasq). > You can do the above by the python script: > https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/dns_server.py > Download it and run like this: > python3 dns_server.py 53532、start dnsmasq. The configuration options are as > follows: > ``` > port=5353 > no-daemon > no-resolv > server = 127.0.0.1 > bind-interfaces > no-hosts > > ``` > 3、Send the corresponding dns request, the specific construction > method of the dns request packet is as follows: > Set the the fifth 4-bytes to 0x00e3(or other numbers except 0x0000), > which represents the number of Authority RRs is 0x00e3, and set the > authoritative nameservers section to empty. > You can do the above by these two > files:https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/dns_request.py > https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/request > Download them and run like this: > python3 dns_request.py request 5353 > Then the fake upstream name server will show this:UDP: Received 32 bytes from > ('127.0.0.1', 44486) > 0000 DE 0C 01 00 00 01 00 00 00 E3 00 00 06 63 65 72 .............cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > UDP: Sending 32 bytes to ('127.0.0.1', 44486) > 0000 DE 0C 81 80 00 01 00 00 00 E3 00 00 06 63 65 72 .............cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > UDP: Done > > We can find that dnsmasq don't find the request packet is malformed > and it forward it to the fake upstream name server. > Then the client will show this:Sending DNS query to 127.0.0.1:5353 > DNS query data: > 0000 31 32 01 00 00 01 00 00 00 E3 00 00 06 63 65 72 12...........cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > Received DNS response from 127.0.0.1:5353 > DNS response data: > 0000 31 32 81 80 00 01 00 00 00 E3 00 00 06 63 65 72 12...........cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > We can find that dnsmasq return a malformed dns packet to the > client. The flag and the Authority RRs is not changed. > > In contrast, Bind(a DNS resolver like Unbound) resturns the correctly > formatted dns packet:Sending DNS query to 127.0.0.1:7777 > DNS query data: > 0000 31 32 01 00 00 01 00 00 00 E3 00 00 06 63 65 72 12...........cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > Received DNS response from 127.0.0.1:7777 > DNS response data: > 0000 31 32 81 01 00 01 00 00 00 00 00 00 06 63 65 72 12...........cer > 0010 74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01 t01.example..%.. > > Thanks > > M1ngkvv1ndZhejiang University That was sent while thread https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016687.html was going on. In https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016749.html is "That should cover both the examples above." Unknown to me is if the above example is covered. Thing that I do know is that the "response" was not announced. ( there is https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/request ) If the response is ever published, I do hope that it is for "cert04.example" and the request has also "cert04". Idea behind it is making it possible to make 1 ldns-testns-datafile for several requests. That ldns-testns can match / respond to distinctive certNN.example requests. Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
