[Dnsmasq-discuss] dnsmasq mishandles some cases when bad dns response packet is received

ZhangJiangyu 张江瑜 zhangjiangyu at zju.edu.cn
Sat Nov 12 02:30:09 UTC 2022 

Hi,

Description

When the DNS forwarder iteratively queries the malicious domain name server, it returns some malformed dns packets, and dnsmasq returns the packet to the client without proper verification, which will give the user a distrust or malicious data.  Other authoritative dns servers have done correct verification.  there are three bugs below, you can start a fake domain name server locally and return specific data.

Steps to reproduce

1、Turn on a fake name server and return a specific payload.
2、start dnsmasq. The configuration options are as follows:
```python


port=53
no-daemon
no-resolv
server = 127.0.0.1
bind-interfaces
no-hosts

```

3、Send the corresponding dns request.





First bug


When the query class type is 0x01, the returned answer type is the wrong class name in the answer, which can be forwarded to the client. The wrong class type includes 0xdf01, 0x2001, 0x4001, 0x0801, 0x1001, 0x0401, 0x0201, 0x0101, 0x0081, 0x0041, 0x0021, 0x0011, 0x0009, 0x0005, 0x0003, 0x0000etc. The rcode of the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,knot-resolver,pdns all return the response packets with rcode 2.

Reproduce data:
The first four bytes are the length.
request1
response1

Second bug

When there is an error in the domain name of the answer record, dnsmasq returns bad packets to the client. The rcode of the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,  pdns all return the response packets with rcode 2. knot-resolver return the response packets with rcode 3.

Reproduce data:
The first four bytes are the length.
request2
response2

Third bug

When the DNS packet returned by the domain name server has redundant data, it is not detected. The rcode of the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,  pdns all return the response packets with rcode 2. knot-resolver return the response packets with rcode 3.

Reproduce data:
The first four bytes are the length.
request3


response3




Thanks

P1n9

Zhejiang University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20221112/f7d14642/attachment.htm>

More information about the Dnsmasq-discuss mailing list