[Dnsmasq-discuss] Client retries broken in 2.84

Nicholas Mu nhmu at alumni.cmu.edu
Tue Feb 16 00:42:24 UTC 2021


Hi,

I noticed a low level increase in DNS errors after upgrading to 2.84. After
doing some packet diving, it seems that retries behave differently in the
new version. For my testing, I'm using dnspython but I believe this issue
would affect any client that uses different source ports and query ids for
retries. As a result, dnspython will attempt retries for up to 30 seconds
and will eventually timeout as only a single packet is ever sent and
retries are rendered ineffective.

On 2.82, multiple packets are sent as dnspython retries. Note the retries
are using different source ports and query ids:

[ec2-user at ip-172-31-44-29 src]$ grep cell-1 /tmp/dnsmasq-2.82
19:59:03.826638 IP 172.31.44.29.44547 > 172.31.0.2.53: 51880+ NS?
somedomain. (64)
19:59:05.928335 IP 172.31.44.29.33363 > 172.31.0.2.53: 41382+ NS?
somedomain. (64)
19:59:08.130620 IP 172.31.44.29.21177 > 172.31.0.2.53: 36073+ NS?
somedomain. (64)
19:59:10.532792 IP 172.31.44.29.57223 > 172.31.0.2.53: 50309+ NS?
somedomain. (64)

On 2.84, only a single packet is sent:

[ec2-user at ip-172-31-44-29 src]$ grep cell-1 /tmp/dnsmasq-2.84
19:53:12.189849 IP 172.31.44.29.5335 > 172.31.0.2.53: 826+ NS? somedomain.
(64)

I also tested using dig, nslookup, and host which all use the same source
port and query id on retries. The behavior works as intended on both
versions. I would suspect the following commit is responsible for this
behavior change:

	Handle multiple identical near simultaneous DNS queries better.
	Previously, such queries would all be forwarded
	independently. This is, in theory, inefficent but in practise
	not a problem, _except_ that is means that an answer for any
	of the forwarded queries will be accepted and cached.
	An attacker can send a query multiple times, and for each repeat,
	another {port, ID} becomes capable of accepting the answer he is
	sending in the blind, to random IDs and ports. The chance of a
	succesful attack is therefore multiplied by the number of repeats
	of the query. The new behaviour detects repeated queries and
	merely stores the clients sending repeats so that when the
	first query completes, the answer can be sent to all the
	clients who asked. Refer: CVE-2020-25686.

Is this intended? Seems to me any clients with retry behavior similar
to dnspython are now broken. Clients will hang until their configured
timeouts are reached on any single DNS failure.

Thanks,

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210215/c3459b04/attachment.htm>


More information about the Dnsmasq-discuss mailing list