Re: Without IPv6 half of the queries yield SERVFAIL

2021-08-05 Thread sthaug 
> ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206,
> ! marking all IPv6 addrs as bogus, but it does not make a difference in
> ! behaviour.
> 
> Update: Actually there is a difference if this recommended
> configuration is present or not - only the NXDOMAIN outcome is the
> same in both cases.

Have you tried:

listen-on-v6{ none; };

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different DNSSEC behaviour between two old versions

2021-08-05 Thread raf via bind-users 
Hi again,

Never mind. It wasn't the difference between versions.
It was that the 9.10.3 server was forwarding all queries
to my ISP's DNS servers which are not functioning well.
They can't even resolve ietf.org at the moment.
When forwarding to 8.8.8.8 instead, it behaves the same
as the 9.11.5 server that's doing its own resolving.
Apologies for the noise.

cheers,
raf

On Fri, Aug 06, 2021 at 11:56:06AM +1000, raf  wrote:

> Hi,
> 
> Firstly, I'd like to thank everyone involved with making bind.
> I'm used to using old versions (9.10.3 on an old ubuntu host)
> and (9.11.5 on debian-10 stable). And just as I'm about to start
> using DNSSEC for my domains, debian-11 stable is about to come
> out in a few days with bind-9.16.15 which will make DNSSEC so
> much easier than I was expecting. Thanks again.
> 
> Now to my question. I've seen an odd difference in behaviour
> between 9.10.3 and 9.11.5 relating to DNSSEC, and I was wondering
> if anyone knows the reason.
> 
> With both servers configured with "dnssec-validation auto",
> 9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
> but 9.11.5 will resolve them. 9.10.3 will only resolve them
> without "dnssec-validation auto". Below is some dig output.
> 
> Any thoughts?
> 
> cheers,
> raf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Different DNSSEC behaviour between two old versions

2021-08-05 Thread raf via bind-users 
Hi,

Firstly, I'd like to thank everyone involved with making bind.
I'm used to using old versions (9.10.3 on an old ubuntu host)
and (9.11.5 on debian-10 stable). And just as I'm about to start
using DNSSEC for my domains, debian-11 stable is about to come
out in a few days with bind-9.16.15 which will make DNSSEC so
much easier than I was expecting. Thanks again.

Now to my question. I've seen an odd difference in behaviour
between 9.10.3 and 9.11.5 relating to DNSSEC, and I was wondering
if anyone knows the reason.

With both servers configured with "dnssec-validation auto",
9.10.3 won't resolve tools.ietf.org or datatracker.ietf.org,
but 9.11.5 will resolve them. 9.10.3 will only resolve them
without "dnssec-validation auto". Below is some dig output.

Any thoughts?

cheers,
raf

Bind-9.10.3 (old ubuntu) without dnssec-validation auto:

> dig tools.ietf.org +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tools.ietf.org.IN  A

;; ANSWER SECTION:
tools.ietf.org. 600 IN  A   4.31.198.62
tools.ietf.org. 600 IN  A   64.170.98.42

;; Query time: 466 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:02:57 AEST 2021
;; MSG SIZE  rcvd: 75

Bind-9.10.3 (old ubuntu) with dnssec-validation auto:

> dig tools.ietf.org +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tools.ietf.org.IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:20:27 AEST 2021
;; MSG SIZE  rcvd: 43

Bind-9.11.5 (debian-10) with dnssec-validation auto:

> dig tools.ietf.org +dnssec

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> tools.ietf.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10705
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: bc0cbf3fc280195cff2fc080610c8f2371a53d64a2a8f7b4 (good)
;; QUESTION SECTION:
;tools.ietf.org.IN  A

;; ANSWER SECTION:
tools.ietf.org. 600 IN  A   4.31.198.62
tools.ietf.org. 600 IN  A   64.170.98.42

;; AUTHORITY SECTION:
tools.ietf.org. 560 IN  NS  zinfandel.levkowetz.com.
tools.ietf.org. 560 IN  NS  dunkelfelder.levkowetz.com.
tools.ietf.org. 560 IN  NS  dechaunac.levkowetz.com.
tools.ietf.org. 560 IN  NS  heroldrebe.levkowetz.com.

;; ADDITIONAL SECTION:
dechaunac.levkowetz.com. 126039 IN  A   4.31.198.62
zinfandel.levkowetz.com. 126039 IN  A   64.170.98.42
heroldrebe.levkowetz.com. 126039 IN A   194.8.197.114
dunkelfelder.levkowetz.com. 126039 IN   A   217.69.81.146
dechaunac.levkowetz.com. 126039 IN  2001:1900:3001:11::3e
zinfandel.levkowetz.com. 126039 IN  2001:1890:126c::1:2a
heroldrebe.levkowetz.com. 126039 IN 2001:4dd0:200:405:dc40::1
dunkelfelder.levkowetz.com. 126039 IN   2001:aa8:ffdc::42

;; Query time: 277 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 06 11:23:47 AEST 2021
;; MSG SIZE  rcvd: 392

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Without IPv6 half of the queries yield SERVFAIL

2021-08-05 Thread Peter 
On Thu, Aug 05, 2021 at 11:53:35PM +0200, Peter wrote:

! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206,
! marking all IPv6 addrs as bogus, but it does not make a difference in
! behaviour.

Update: Actually there is a difference if this recommended
configuration is present or not - only the NXDOMAIN outcome is the
same in both cases.

WITH this configuration ("server ::/0 { bogus yes; };") I get the
behaviour as described in the previous msg: Resolving will
occasionally fail, depending on the sequence in which the recursive
queries get answered.

WITHOUT this configuration lots of INET6 queries are generated (and
cannot be sent anywhere as there is no IPv6). And then frequently
this error appears:

Aug  6 00:05:51  conr named[5623]: resolver: debug 3:
exceeded max queries resolving 'curitiba.porkbun.com/'
(querycount=101, maxqueries=100)

Now that is something I can understand. :) So, when I put this
into the configuration: "max-recursion-queries 400;", then things
appear to work!
But this is probably not "The Good Way" to solve this (and it fills
the log with all these "lame-servers" errors from the unreachable
IPv6 addresses).

So then, maybe the recommended configuration with
"server ::/0 { bogus yes; };"
is not so really recommendable and rather dangerous? Or mabye it is
somehow misbehaving in this case?

rgds,
PMc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Without IPv6 half of the queries yield SERVFAIL

2021-08-05 Thread Peter 


Hi all,

  first off: I do not have IPv6 physical connectivity yet, but I would
like to run a nameserver nevertheless.

Sadly, it seems that without IPv6 connectivity, half of the queries
fail, in a random fashion.

There is no clue in the logfile about any reason for this behaviour,
only so much as:

client: error: query client=0x80db45160
   thread=0x80125ba00(pole.daemon.contact/A): query_gotanswer:
   unexpected error: SERVFAIL
query-errors: info: client @0x80db45160 192.168.98.10#17919
   (pole.daemon.contact): view intra: query failed (SERVFAIL)
   for pole.daemon.contact/IN/A at query.c:7376

Increasing the debug level does not give me more insight.

The failure happens randomly, half of the time. (Only after 'rndc flush',
obviousely, so it went undetected at first, taken for a network
hiccup.)

I finally resorted to full dnstap logging, and walked myself thru
the whole orgy of recursive resolving. The outcome:

This name in question, pole.daemon.contact, has four nameservers,
each of them has two IPv4 and one IPv6 addresses.

In the cases when the query is successful, the recursion happens just
as we would expect it: at some point an IP address for one of the four
nameservers is obtained, then from that IP address the desired A
record is queried and obtained, and after a bit more of validation
stuff (probably DNSSEC) the client gets the proper answer.

In the cases when the query yields SERVFAIL, the difference is that
the first arriving answer for one of the nameserver's addresses is an
answer to an  query, not an A query (as mentioned, ther are four
possible nameservers, and each has A and  records). At that point
the client is sent NXDOMAIN, disregarding that the other (A and )
records are just at that moment being received. So the query is fail,
and the service is outage, and it is bad.

The problem appears on different machines, all running FreeBSD 12.2
and BIND 9.16.18.

I tried to use this recommendation, https://kb.isc.org/docs/aa-00206,
marking all IPv6 addrs as bogus, but it does not make a difference in
behaviour.

Is there any means to tell named that we just don't have IPv6
connections yet (which actually should be obvious because there is
not IPv6 address on the interfaces, except for lo0)?

I know I can use -4 cmdline option, but that disables everything,
while I would rather like to slowly and tentatively enter IPv6 (but
on my pace, and not forced by a named insisting in all-or-nothing).
I would rather like named to continue and try the other seven address
options, and not just NXDOMAIN rightaway.


rgds,
PMc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Ed Daniel 
On 05/08/2021 17:57, Siva Kakarla wrote:
> Thanks, Daniel, that is also a great idea. I am trying to see if I can
> get the standard fuzzers like AFL to work for my use case, but if I
> can't then I will try the idea you suggested. 

This also rather cool:
https://github.com/DNS-OARC/dns-benchmarking/blob/master/home/knot/tools/pcap-fuzz.py

Other ideas here too:
https://lists.dns-oarc.net/pipermail/dns-operations/2018-February/017315.html
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Ondřej Surý 
You can use dnspython to generate wire format.

Generally, I think that writing more specific fuzzers on top of APIs that 
consumes user input would be more useful than just fuzzing `named`.

F.e. it should be possible to write a fuzzer that takes multiple DNS messages 
as input (starting with query + all DNS messages needed to resolve the query) 
would be more useful that just fuzzing “stuff”.

Also I think that for more complex stuff it would be better to write a protocol 
specific input generator than just generic one found in existing fuzzers.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 5. 8. 2021, at 18:51, Siva Kakarla  wrote:
> 
> 
> Thanks, Ondrej, for the reply.
> 
> Fuzzing responses is the second part, I would say. For now, I am only fuzzing 
> the authoritative server, so fuzzing named with queries would be a good 
> starting point. I will check the GitHub repository you pointed out. 
> 
> The instructions for running AFL work great, thanks!
> 
> I came across the '-A' option from the report you filed a year ago, but was 
> under the impression that the "client" would be the default but I just saw 
> that it is none in the code so, I guess, named has to be passed with "named 
> -A client:IP:port" to fuzz the authoritative server with queries. I will 
> check the files you pointed more carefully. 
> 
> When the AFL code was first added to Bind 4-5 years ago, what seed input was 
> given to it?
> 
> I understand that they are raw packets, but how did you get them in the raw 
> format? I guess the fuzzer would have generated some of them but what were 
> the starting raw packets? So, there is also no way to convert them from raw 
> format to readable DNS messages as most of them are invalid but is there a 
> way for valid ones?
> 
> I will try to be more specific - say I want to seed with a query  A>, how do I get the DNS packet that has this query in the raw format? 
> (capturing it using Wireshark?)
> 
> Thanks a lot again for taking the time to answer my questions.
> 
>> On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý  wrote:
>> If you want to get your hands dirty, I would recommend looking at 
>> https://github.com/dobin/ffw, but for useful fuzzing, this would also need a 
>> more complicated client fuzzing support because you don’t only want to fuzz 
>> the queries, but also responses given by “fake” authoritative servers and 
>> you want to do that on various levels of DNS tree and for various query 
>> types.  It’s a state machine and by doing fuzzing on single level, you might 
>> never hit all the states.
>> 
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ond...@isc.org
>> 
>> > On 5. 8. 2021, at 18:01, Ondřej Surý  wrote:
>> > 
>> > 
>> > --
>> > Ondřej Surý (He/Him)
>> > ond...@isc.org
>> > 
>> >> On 5. 8. 2021, at 14:37, Siva Kakarla  wrote:
>> >> 
>> >> Hello Everyone,
>> >> 
>> >> I am trying to understand and set up a fuzzer for the Bind DNS 
>> >> implementation. My current goal is to fuzz the authoritative server with 
>> >> queries. 
>> >> 
>> >> I have looked around and came across different fuzzing engines, but I 
>> >> have some trouble and some questions getting it to work. If anyone has 
>> >> anything to comment on, please reply, and that would be really helpful.
>> >>  • I configured with CC=/path/to/afl/afl-clang./configure 
>> >> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did 
>> >> make and  make install.  I then tried fuzzing the named binary with 
>> >> afl-fuzz -i fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named 
>> >> -gbut then it stops immediately, sayingthe program crashed with one of 
>> >> the test cases provided. 
>> >>  • How to fuzz the named binary with queries?
>> > 
>> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more 
>> > complicated to set it up (you need to pass -A extra option to `named`).
>> > 
>> >>  • How to get the seed input in raw format? 
>> >>  • Honggfuzz seems to fuzz the named binary, but it produced 
>> >> too many files as crash reports within a minute. I have asked about it on 
>> >> their GitHub. Anyone that worked with Honggfuzz, please reply. 
>> > 
>> > I see, you got response from hongfuzz author directly.
>> > 
>> >>  • A separate fuzz folder contains functions to fuzz small sections 
>> >> of the code. 
>> >>  • Was this created to improve coverage and modularity? (In 
>> >> the sense, can't named be fuzzed directly using the above setup?) 
>> > 
>> > Fuzzing a daemon that depends on various internal state (state of the 
>> > cache, authoritative zones present or not, various configuration options 
>> > enabled or not) is difficult and also sometimes it’s also useless to fuzz 
>> > the big blob and you want to fuzz just specific parts (zone parser, DNS 
>> > message parsers, etc…)
>> > 
>> >>

RE: Add DNS records automatically for static IP's

2021-08-05 Thread Cuttler, Brian R (HEALTH) via bind-users 
Roberto,

I've been using nsupdate for that.

I restricted my dynamic address pool, at the bottom end for infrastructure and 
at the top end for static IP's and then I use nsupdate to add the entries.
There are other methods, which I learned mostly from this list and can attach a 
copy of my site wiki article if you'd like to see it.

Brian


-Original Message-
From: bind-users  On Behalf Of Roberto Carna
Sent: Thursday, August 5, 2021 12:19 PM
To: ML BIND Users 
Subject: Add DNS records automatically for static IP's

ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.


Dear all, I know DDNS works with a DHCP server and dynamic IP's. When
IP changes, the hostname in DNS is updated.

But I have this scenario:

I have several hosts with static IP's / hostnames and I want to
register them to our private BIND DNS, and they should be updated if
the IP or hostname changes.

Is there any way to do what I need ? Any Linux/Windows client to
install in the servers in order to register IP and hostname to aour
provate BIND ???

Special thanks!
___
Please visit 
https://protect2.fireeye.com/v1/url?k=f79b63c4-a8005aca-f7999af1-0cc47aa88e08-87326f8873a8f70f&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://protect2.fireeye.com/v1/url?k=f4271fb0-abbc26be-f425e685-0cc47aa88e08-eb2d0c2a090ba813&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Fwww.isc.org%2Fcontact%2F
 for more information.


bind-users mailing list
bind-users@lists.isc.org
https://protect2.fireeye.com/v1/url?k=b3f69bd9-ec6da2d7-b3f462ec-0cc47aa88e08-5673bd64038e4ed1&q=1&e=661620c9-7459-4c2c-b3e4-07a131bd2d04&u=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Siva Kakarla 
Thanks, Daniel, that is also a great idea. I am trying to see if I can get
the standard fuzzers like AFL to work for my use case, but if I can't then
I will try the idea you suggested.

On Thu, Aug 5, 2021 at 8:39 PM Ed Daniel  wrote:

> On 05/08/2021 13:37, Siva Kakarla wrote:
> > Hello Everyone,
> >
> > I am trying to understand and set up a fuzzer for the Bind DNS
> > implementation. My current goal is to fuzz the authoritative server with
> > queries.
> >
> > I have looked around and came across different fuzzing engines, but I
> > have some trouble and some questions getting it to work. If anyone has
> > anything to comment on, please reply, and that would be really helpful.
> >
> >  1. I configured with |CC=/path/to/afl/afl-clang./configure
> > --enable-fuzzing=afl| or |afl-clang-fast| to enable fuzzing. Then, I
> > did make and  make install.  I then tried fuzzing the |named| binary
> > with |afl-fuzz -i fuzz/dns_message_parse.in/
> >  -o findings /usr/local/sbin/named
> > -g|but then it stops immediately, saying|the program crashed with
> > one of the test cases provided|.
> >  1. How to fuzz the |named|binary with queries?
> >  2. How to get the seed input in raw format?
> >  3. Honggfuzz
> >  >seems
> > to fuzz the named binary, but it produced too many files as
> > crash reports within a minute. I have asked about it on
> > their GitHub .
> > Anyone that worked with Honggfuzz, please reply.
> >  2. A separate fuzz folder
> >  contains
> functions
> > to fuzz small sections of the code.
> >  1. Was this created to improve coverage and modularity? (In the
> > sense, can't |named| be fuzzed directly using the above setup?)
> >  2. I could get them running with |oss-fuzz| but how to run them
> > with |afl-fuzz|? The README
> > <
> https://gitlab.isc.org/isc-projects/bind9/-/blob/main/fuzz/FUZZING.md
> >mentions
> > linking the files; can you please tell me how to do that?
> >  3. How to decode the packets given
> > in
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in
> > <
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in
> >?
> > How to add a new packet to the corpus? (How to convert into a raw
> > packet?)
>
> Why not re-purpose a password fuzzer, instead of passwords you'd be
> spawning FQDNs, which you could pipe to mdig or other dns client?
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Siva Kakarla 
Thanks, Ondrej, for the reply.

Fuzzing responses is the second part, I would say. For now, I am only
fuzzing the authoritative server, so fuzzing named with queries would be a
good starting point. I will check the GitHub repository you pointed out.

The instructions for running AFL work great, thanks!

I came across the '-A' option from the report you filed a year ago
, but was under
the impression that the "client" would be the default but I just saw that
it is none in the code so, I guess, named has to be passed with "named -A
client:IP:port" to fuzz the authoritative server with queries. I will check
the files you pointed more carefully.

When the AFL code was first added to Bind 4-5 years ago, what seed input
was given to it?

I understand that they are raw packets, but how did you get them in the raw
format? I guess the fuzzer would have generated some of them but what were
the starting raw packets? So, there is also no way to convert them from raw
format to readable DNS messages as most of them are invalid but is there a
way for valid ones?

I will try to be more specific - say I want to seed with a query , how do I get the DNS packet that has this query in the raw format?
(capturing it using Wireshark?)

*Thanks a lot again for taking the time to answer my questions.*

On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý  wrote:

> If you want to get your hands dirty, I would recommend looking at
> https://github.com/dobin/ffw, but for useful fuzzing, this would also
> need a more complicated client fuzzing support because you don’t only want
> to fuzz the queries, but also responses given by “fake” authoritative
> servers and you want to do that on various levels of DNS tree and for
> various query types.  It’s a state machine and by doing fuzzing on single
> level, you might never hit all the states.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
> > On 5. 8. 2021, at 18:01, Ondřej Surý  wrote:
> >
> >
> > --
> > Ondřej Surý (He/Him)
> > ond...@isc.org
> >
> >> On 5. 8. 2021, at 14:37, Siva Kakarla  wrote:
> >>
> >> Hello Everyone,
> >>
> >> I am trying to understand and set up a fuzzer for the Bind DNS
> implementation. My current goal is to fuzz the authoritative server with
> queries.
> >>
> >> I have looked around and came across different fuzzing engines, but I
> have some trouble and some questions getting it to work. If anyone has
> anything to comment on, please reply, and that would be really helpful.
> >>  • I configured with CC=/path/to/afl/afl-clang./configure
> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make
> and  make install.  I then tried fuzzing the named binary with afl-fuzz -i
> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then
> it stops immediately, sayingthe program crashed with one of the test cases
> provided.
> >>  • How to fuzz the named binary with queries?
> >
> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s
> more complicated to set it up (you need to pass -A extra option to `named`).
> >
> >>  • How to get the seed input in raw format?
> >>  • Honggfuzz seems to fuzz the named binary, but it
> produced too many files as crash reports within a minute. I have asked
> about it on their GitHub. Anyone that worked with Honggfuzz, please reply.
> >
> > I see, you got response from hongfuzz author directly.
> >
> >>  • A separate fuzz folder contains functions to fuzz small sections
> of the code.
> >>  • Was this created to improve coverage and modularity? (In
> the sense, can't named be fuzzed directly using the above setup?)
> >
> > Fuzzing a daemon that depends on various internal state (state of the
> cache, authoritative zones present or not, various configuration options
> enabled or not) is difficult and also sometimes it’s also useless to fuzz
> the big blob and you want to fuzz just specific parts (zone parser, DNS
> message parsers, etc…)
> >
> >>  • I could get them running with oss-fuzz but how to run
> them with afl-fuzz? The README mentions linking the files; can you please
> tell me how to do that?
> >
> > with AFL++ do
> >
> > CC=afl-clang-fast ./configure --enable-fuzzing=afl
> > make -j
> > cd fuzz
> >
> > and then for each test:
> >
> > make dns_message_parse
> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i
> dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
> >
> >>  • How to decode the packets given in
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
> How to add a new packet to the corpus? (How to convert into a raw packet?)
> >
> > These are raw DNS messages.  There’s bigger corpus f.e. here:
> https://github.com/CZ-NIC/dns-fuzzing
> >
> >> Thank you
> >> Siva
> >>
> >> --
> >> Siva Kakarla
> >> (sivak.dev)
> >> ___
> >> Please visit https://lists.isc.

Re: Add DNS records automatically for static IP's

2021-08-05 Thread tale via bind-users 
On Thu, Aug 5, 2021 at 12:19 PM Roberto Carna  wrote:
> I have several hosts with static IP's / hostnames and I want to
> register them to our private BIND DNS, and they should be updated if
> the IP or hostname changes.
>
> Is there any way to do what I need ? Any Linux/Windows client to
> install in the servers in order to register IP and hostname to aour
> provate BIND ???

What you're looking for is DHCP configuration.   For example, with
ISC's DHCP server implementation you would use the "host"
statements to match clients and either assign them to a particular
static name via "fixed-address", or use "ddns-hostname" to update
DNS for the hostname with the dynamic address of the assignment.
-- 
tale
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Add DNS records automatically for static IP's

2021-08-05 Thread Chris Buxton 
Windows clients do this with the right settings; often those settings are the 
defaults. For Linux, there’s got to be a script out there that ties into the 
networking code, but I’ve never needed to look for a solution.

The biggest challenges I’ve seen in doing this right are:

  * cryptography: Are you accepting unsigned updates, or are you going to try 
to be secure, using either TSIG or GSS-TSIG? The latter is a real pain to set 
up, and a performance pig, but it can provide good security.
  * access control: If you don’t need unsigned updates, you can use the 
update-policy statement rather than allow-updates to set more granular access 
controls. But update-policy is more complex.
  * performance: How big is the environment? How many updates per second do you 
need to accept? With GSS-TSIG, performance can be an issue in a very large 
enterprise.
  * maintenance: After these devices register themselves, they might get 
decommissioned. Perhaps much later, but eventually upgrades happen and needs 
change. How are you cleaning up the stale records? Your DHCP server will do 
that for you, for DHCP clients.

Regards,
Chris Buxton

> On Aug 5, 2021, at 9:19 AM, Roberto Carna  wrote:
> 
> Dear all, I know DDNS works with a DHCP server and dynamic IP's. When
> IP changes, the hostname in DNS is updated.
> 
> But I have this scenario:
> 
> I have several hosts with static IP's / hostnames and I want to
> register them to our private BIND DNS, and they should be updated if
> the IP or hostname changes.
> 
> Is there any way to do what I need ? Any Linux/Windows client to
> install in the servers in order to register IP and hostname to aour
> provate BIND ???
> 
> Special thanks!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Add DNS records automatically for static IP's

2021-08-05 Thread Roberto Carna 
Dear all, I know DDNS works with a DHCP server and dynamic IP's. When
IP changes, the hostname in DNS is updated.

But I have this scenario:

I have several hosts with static IP's / hostnames and I want to
register them to our private BIND DNS, and they should be updated if
the IP or hostname changes.

Is there any way to do what I need ? Any Linux/Windows client to
install in the servers in order to register IP and hostname to aour
provate BIND ???

Special thanks!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Ondřej Surý 
If you want to get your hands dirty, I would recommend looking at 
https://github.com/dobin/ffw, but for useful fuzzing, this would also need a 
more complicated client fuzzing support because you don’t only want to fuzz the 
queries, but also responses given by “fake” authoritative servers and you want 
to do that on various levels of DNS tree and for various query types.  It’s a 
state machine and by doing fuzzing on single level, you might never hit all the 
states.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 5. 8. 2021, at 18:01, Ondřej Surý  wrote:
> 
> 
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
> 
>> On 5. 8. 2021, at 14:37, Siva Kakarla  wrote:
>> 
>> Hello Everyone,
>> 
>> I am trying to understand and set up a fuzzer for the Bind DNS 
>> implementation. My current goal is to fuzz the authoritative server with 
>> queries. 
>> 
>> I have looked around and came across different fuzzing engines, but I have 
>> some trouble and some questions getting it to work. If anyone has anything 
>> to comment on, please reply, and that would be really helpful.
>>  • I configured with CC=/path/to/afl/afl-clang./configure 
>> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make 
>> and  make install.  I then tried fuzzing the named binary with afl-fuzz -i 
>> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then it 
>> stops immediately, sayingthe program crashed with one of the test cases 
>> provided. 
>>  • How to fuzz the named binary with queries?
> 
> Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more 
> complicated to set it up (you need to pass -A extra option to `named`).
> 
>>  • How to get the seed input in raw format? 
>>  • Honggfuzz seems to fuzz the named binary, but it produced too 
>> many files as crash reports within a minute. I have asked about it on their 
>> GitHub. Anyone that worked with Honggfuzz, please reply. 
> 
> I see, you got response from hongfuzz author directly.
> 
>>  • A separate fuzz folder contains functions to fuzz small sections of 
>> the code. 
>>  • Was this created to improve coverage and modularity? (In the 
>> sense, can't named be fuzzed directly using the above setup?) 
> 
> Fuzzing a daemon that depends on various internal state (state of the cache, 
> authoritative zones present or not, various configuration options enabled or 
> not) is difficult and also sometimes it’s also useless to fuzz the big blob 
> and you want to fuzz just specific parts (zone parser, DNS message parsers, 
> etc…)
> 
>>  • I could get them running with oss-fuzz but how to run them 
>> with afl-fuzz? The README mentions linking the files; can you please tell me 
>> how to do that?
> 
> with AFL++ do
> 
> CC=afl-clang-fast ./configure --enable-fuzzing=afl
> make -j
> cd fuzz
> 
> and then for each test:
> 
> make dns_message_parse
> LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i 
> dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
> 
>>  • How to decode the packets given in 
>> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
>>  How to add a new packet to the corpus? (How to convert into a raw packet?)
> 
> These are raw DNS messages.  There’s bigger corpus f.e. here: 
> https://github.com/CZ-NIC/dns-fuzzing
> 
>> Thank you
>> Siva
>> 
>> --
>> Siva Kakarla
>> (sivak.dev)
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Ondřej Surý 

--
Ondřej Surý (He/Him)
ond...@isc.org

> On 5. 8. 2021, at 14:37, Siva Kakarla  wrote:
> 
> Hello Everyone,
> 
> I am trying to understand and set up a fuzzer for the Bind DNS 
> implementation. My current goal is to fuzz the authoritative server with 
> queries. 
> 
> I have looked around and came across different fuzzing engines, but I have 
> some trouble and some questions getting it to work. If anyone has anything to 
> comment on, please reply, and that would be really helpful.
>   • I configured with CC=/path/to/afl/afl-clang./configure 
> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make 
> and  make install.  I then tried fuzzing the named binary with afl-fuzz -i 
> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then it 
> stops immediately, sayingthe program crashed with one of the test cases 
> provided. 
>   • How to fuzz the named binary with queries?

Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more 
complicated to set it up (you need to pass -A extra option to `named`).

>   • How to get the seed input in raw format? 
>   • Honggfuzz seems to fuzz the named binary, but it produced too 
> many files as crash reports within a minute. I have asked about it on their 
> GitHub. Anyone that worked with Honggfuzz, please reply. 

I see, you got response from hongfuzz author directly.

>   • A separate fuzz folder contains functions to fuzz small sections of 
> the code. 
>   • Was this created to improve coverage and modularity? (In the 
> sense, can't named be fuzzed directly using the above setup?) 

Fuzzing a daemon that depends on various internal state (state of the cache, 
authoritative zones present or not, various configuration options enabled or 
not) is difficult and also sometimes it’s also useless to fuzz the big blob and 
you want to fuzz just specific parts (zone parser, DNS message parsers, etc…)

>   • I could get them running with oss-fuzz but how to run them 
> with afl-fuzz? The README mentions linking the files; can you please tell me 
> how to do that?

with AFL++ do

CC=afl-clang-fast ./configure --enable-fuzzing=afl
make -j
cd fuzz

and then for each test:

make dns_message_parse
LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i 
dns_message_parse.in/ -o xxx ./.libs/dns_message_parse

>   • How to decode the packets given in 
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
>  How to add a new packet to the corpus? (How to convert into a raw packet?)

These are raw DNS messages.  There’s bigger corpus f.e. here: 
https://github.com/CZ-NIC/dns-fuzzing

> Thank you
> Siva
> 
> --
> Siva Kakarla
> (sivak.dev)
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fuzzing Bind

2021-08-05 Thread Ed Daniel 
On 05/08/2021 13:37, Siva Kakarla wrote:
> Hello Everyone,
> 
> I am trying to understand and set up a fuzzer for the Bind DNS
> implementation. My current goal is to fuzz the authoritative server with
> queries. 
> 
> I have looked around and came across different fuzzing engines, but I
> have some trouble and some questions getting it to work. If anyone has
> anything to comment on, please reply, and that would be really helpful.
> 
>  1. I configured with |CC=/path/to/afl/afl-clang./configure
> --enable-fuzzing=afl| or |afl-clang-fast| to enable fuzzing. Then, I
> did make and  make install.  I then tried fuzzing the |named| binary
> with |afl-fuzz -i fuzz/dns_message_parse.in/
>  -o findings /usr/local/sbin/named
> -g|but then it stops immediately, saying|the program crashed with
> one of the test cases provided|. 
>  1. How to fuzz the |named|binary with queries?
>  2. How to get the seed input in raw format? 
>  3. Honggfuzz 
> seems
> to fuzz the named binary, but it produced too many files as
> crash reports within a minute. I have asked about it on
> their GitHub .
> Anyone that worked with Honggfuzz, please reply. 
>  2. A separate fuzz folder
>  contains 
> functions
> to fuzz small sections of the code. 
>  1. Was this created to improve coverage and modularity? (In the
> sense, can't |named| be fuzzed directly using the above setup?) 
>  2. I could get them running with |oss-fuzz| but how to run them
> with |afl-fuzz|? The README 
> 
> mentions
> linking the files; can you please tell me how to do that?
>  3. How to decode the packets given
> in 
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in
> 
> ?
> How to add a new packet to the corpus? (How to convert into a raw
> packet?)

Why not re-purpose a password fuzzer, instead of passwords you'd be
spawning FQDNs, which you could pipe to mdig or other dns client?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Fuzzing Bind

2021-08-05 Thread Siva Kakarla 
Hello Everyone,

I am trying to understand and set up a fuzzer for the Bind DNS
implementation. My current goal is to fuzz the authoritative server with
queries.

I have looked around and came across different fuzzing engines, but I have
some trouble and some questions getting it to work. If anyone has anything
to comment on, please reply, and that would be really helpful.

   1. I configured with CC=/path/to/afl/afl-clang./configure
   --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make
   and  make install.  I then tried fuzzing the named binary with afl-fuzz
   -i fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut
   then it stops immediately, sayingthe program crashed with one of the
   test cases provided.
   1. How to fuzz the namedbinary with queries?
  2. How to get the seed input in raw format?
  3. Honggfuzz
  seems
  to fuzz the named binary, but it produced too many files as crash reports
  within a minute. I have asked about it on their GitHub
  . Anyone that worked
  with Honggfuzz, please reply.
   2. A separate fuzz folder
    contains
   functions to fuzz small sections of the code.
  1. Was this created to improve coverage and modularity? (In the
  sense, can't named be fuzzed directly using the above setup?)
  2. I could get them running with oss-fuzz but how to run them with
  afl-fuzz? The README
  
mentions
  linking the files; can you please tell me how to do that?
   3. How to decode the packets given in
   
https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
   How to add a new packet to the corpus? (How to convert into a raw packet?)

Thank you
Siva

--
Siva Kakarla
(sivak.dev )
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users