Re: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit
Hi Veronique, What is being logged is individual queries (or rather, query responses in actual fact, as those queries are responded to). It doesn't make any difference to the logging how they arrived - each query is logged independently, whether it was pipelined over TCP, arrived non-pipelined, or came in over UDP. You can't determine whether a client is using TCP pipelining from looking at the querylog channel - that's because what is being logged is individual queries being handled, not client connections and how the queries are transported. Hoping this helps. Cathy On 20/12/2019 15:44, Veronique Lefebure wrote: > Many thanks for your reply. It answers the second part of my question. > But what about the first part of the question: " If a client is using > TCP-pipelining, and if querylog channel is enabled, what will appear in the > query log file for that client ? Shall we see one line per DNS query, i.e. N > lines if the client has sent N queries in the pipeline, or shall we see only > one line ?" > > You say "Just seeing multiple queries from the same client TCP connection > doesn't mean that it is pipelining them." > But are we sure that one would see multiple queries in the querylogs in case > of pipelining ? > > Thanks, > Veronique > > -Original Message- > From: Cathy Almond > Sent: 09 December 2019 10:05 > To: Veronique Lefebure > Subject: Re: FW: Question about CVE-2019-6477: TCP-pipelined queries can > bypass tcp-clients limit > > Hi Veronique, > > I replied the same day: > > https://lists.isc.org/pipermail/bind-users/2019-November/102372.html > > But oddly, I don't see your posting on the list at all, just my reply. > > It looks like it never made it to the list - the reason being that you can't > post to the list unless you're a subscriber (which, after > checking, it turns out that you're not). You should have received an > auto-reply saying that your posting was held for moderation because you > weren't signed-up to the list. > > I'm guessing that you BCCd me when you posted, and I just replied to the > list, thinking that your posting had come from the list and not directly. > > So.. if you didn't subscribe, you wouldn't have seen the reply... > > Cathy > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit
Many thanks for your reply. It answers the second part of my question. But what about the first part of the question: " If a client is using TCP-pipelining, and if querylog channel is enabled, what will appear in the query log file for that client ? Shall we see one line per DNS query, i.e. N lines if the client has sent N queries in the pipeline, or shall we see only one line ?" You say "Just seeing multiple queries from the same client TCP connection doesn't mean that it is pipelining them." But are we sure that one would see multiple queries in the querylogs in case of pipelining ? Thanks, Veronique -Original Message- From: Cathy Almond Sent: 09 December 2019 10:05 To: Veronique Lefebure Subject: Re: FW: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit Hi Veronique, I replied the same day: https://lists.isc.org/pipermail/bind-users/2019-November/102372.html But oddly, I don't see your posting on the list at all, just my reply. It looks like it never made it to the list - the reason being that you can't post to the list unless you're a subscriber (which, after checking, it turns out that you're not). You should have received an auto-reply saying that your posting was held for moderation because you weren't signed-up to the list. I'm guessing that you BCCd me when you posted, and I just replied to the list, thinking that your posting had come from the list and not directly. So.. if you didn't subscribe, you wouldn't have seen the reply... Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit
On 21/11/2019 14:40, Veronique Lefebure wrote: > Hi, > > I have a question regarding the vulnerability described in the mail below. > > If a client is using TCP-pipelining, and if querylog channel is enabled, what > will appear in the query log file for that client ? > Shall we see one line per DNS query, i.e. N lines if the client has sent N > queries in the pipeline, or shall we see only one line ? > Also, is there a way to know is a client is using pipelining (a part from > analysing the traffic) ? > > Thanks, > Veronique Hi Veronique, This is an interesting question. The querylog channel is logging query responses, one per client query. So you're not going to be able to determine from query logging whether a client is using TCP-pipelining or not. Realistically, you're going to have to analyze the traffic in some way or another. The difference with a pipelining client as opposed to another TCP client that just holds open a TCP socket while it sends several queries, is that the pipelining client won't wait for a query response to the last query it sent before sending the next one. It will have code in place locally to keep track of pending queries and to handle out of order query responses. Just seeing multiple queries from the same client TCP connection doesn't mean that it is pipelining them. Someone else on the list might have some other ideas, but that's all that I can think of at the moment - sorry. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users