date:20210121

Re: [dns-operations] dnspooq

2021-01-21 Thread Ralf Weber

Moin!

On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote:
> I know that section 6 of RFC 5452 describes 'in-domain checking'
> for full-service resolvers, but I can't find any RFCs describing the
> same checking for DNS forwarders...
The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
there is no such description.

> Moreover, the whitepaper describes this as follows:
>
>   "We acknowledge that this is not a vulnerability per se, and
>   moreover is reasonable behavior, though it magnifies the attack and
>   similar types of attacks."
>
> Isn't it really a vulnerability?
I agree for a real DNS forwarder (aka proper resolver acting as a
forwarder), but for a DNS proxy there really is no other option then
to give the packet back to the client (stub resolver) and let it deal
with it.

So long
-Ralf
——-
Ralf Weber
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] dnspooq

2021-01-21 Thread Yasuhiro Orange Morishita / 森下泰宏

Hi,

> fyi
> https://www.jsof-tech.com/disclosures/dnspooq/

I've read a technical whitepaper of the DNSpooq[*1] from JSOF,
and I have a question about response validation in DNS forwarders.

[*1] DNSpooq - Cache Poisoning and RCE in Popular DNS Forwarder dnsmasq
 

Section 3.4 of the whitepaper describes dnsmasq doesn't perform the
'in-domain' check, and dnsmasq accepts the following answer (and
overwrite an existing cache of www.bank.com) from upstream
full-service resolver.

  ;; ANSWER SECTION:
  www.example.com. IN CNAME www.bank.com.
  www.bank.com.IN A 6.6.6.6

I know that section 6 of RFC 5452 describes 'in-domain checking'
for full-service resolvers, but I can't find any RFCs describing the
same checking for DNS forwarders...

Moreover, the whitepaper describes this as follows:

  "We acknowledge that this is not a vulnerability per se, and
  moreover is reasonable behavior, though it magnifies the attack and
  similar types of attacks."

Isn't it really a vulnerability?

-- Orange

From: FUSTE Emmanuel 
Subject: Re: [dns-operations] dnspooq
Date: Thu, 21 Jan 2021 11:29:16 +

> Le 21/01/2021 à 12:07, Stephane Bortzmeyer a écrit :
>> On Tue, Jan 19, 2021 at 03:53:04PM +,
>>   Roy Arends  wrote
>>   a message of 7 lines which said:
>>
>>> fyi
>>>
>>> https://www.jsof-tech.com/disclosures/dnspooq/
>> Real vulnerabilities and good technical work but why do they feel the
>> need to add references to the "Internet DNS Architecture" (it is not a
>> DNS problem, purely bugs in an implementation) or to HSTS (what's its
>> relationship with a bug in a DNS program?)?
>>
>> To get more attention?
>>
> Yes I stop reading past this. Very bad editorial choice in my opinion.
> But sadly the modern/actual way of informing: sensationalism, up to the 
> border of the fake.
> 
> Emmanuel.
> 
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] dnspooq

2021-01-21 Thread FUSTE Emmanuel

Le 21/01/2021 à 12:07, Stephane Bortzmeyer a écrit :
> On Tue, Jan 19, 2021 at 03:53:04PM +,
>   Roy Arends  wrote
>   a message of 7 lines which said:
>
>> fyi
>>
>> https://www.jsof-tech.com/disclosures/dnspooq/
> Real vulnerabilities and good technical work but why do they feel the
> need to add references to the "Internet DNS Architecture" (it is not a
> DNS problem, purely bugs in an implementation) or to HSTS (what's its
> relationship with a bug in a DNS program?)?
>
> To get more attention?
>
Yes I stop reading past this. Very bad editorial choice in my opinion.
But sadly the modern/actual way of informing: sensationalism, up to the 
border of the fake.

Emmanuel.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] dnspooq

2021-01-21 Thread Stephane Bortzmeyer

On Tue, Jan 19, 2021 at 03:53:04PM +,
 Roy Arends  wrote 
 a message of 7 lines which said:

> fyi
> 
> https://www.jsof-tech.com/disclosures/dnspooq/

Real vulnerabilities and good technical work but why do they feel the
need to add references to the "Internet DNS Architecture" (it is not a
DNS problem, purely bugs in an implementation) or to HSTS (what's its
relationship with a bug in a DNS program?)?

To get more attention?
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] dnspooq

Re: [dns-operations] dnspooq

Re: [dns-operations] dnspooq

Re: [dns-operations] dnspooq

4 matches

Site Navigation

Mail list logo

Footer information