[Dnsmasq-discuss] dnsmasq mishandles some cases when bad dns response packet is received

zhangJiangyu zhangjiangyu at zju.edu.cn
Sun Nov 13 02:23:55 UTC 2022 

On Sat, Nov 12, 2022 at 04:15:38PM +0800, Geert Stappers via Dnsmasq-discuss wrote:
> On Sat, Nov 12, 2022 at 10:30:09AM +0800, ZhangJiangyu 张江瑜 via Dnsmasq-discuss wrote:
> > Hi,
> > 
> > Description
> > 
> > When the DNS forwarder iteratively queries the malicious domain name
> > server, it returns some malformed dns packets, and dnsmasq returns the
> > packet to the client without proper verification, which will give the
> > user a distrust or malicious data.  Other authoritative dns servers
> > have done correct verification.  there are three bugs below, you can
> > start a fake domain name server locally and return specific data.
> > 
> > Steps to reproduce
> > 
> > 1、Turn on a fake name server and return a specific payload.

> How?

Hi,

Thanks to Geert Stappers for the advice on replying to the maillist.

You need a few steps to reproduce:

* Run the command (sudo python3 dns_server.py "response filename path") to listen on port 53. This will start a fake dns server, receive the request, and return the result.
* Start the dnsmasq software to listen on port 5353.
    * The configuration file is as follows:
      "port=5353
       no-daemon
       no-resolv
       server = 127.0.0.1
       bind-interfaces
       no-hosts"
    * Run the command (./dnsmasq -C ./dnsmasq.conf) to start the dnsmasq.
* Run the command (python3 dns_request.py "request filename path" 5353) to send the request, dnsmasq will forward the request to our fake dns server, return the message and then return it to the client.
* Analyze the message returned to the client, you will find that there is a problem with the message, and the correct verification is not done.

Next, I will give the download link of the corresponding python script, request file and response file, which can be reproduced after downloading.

* dns_request.py
    * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_request.py
* dns_server.py
    * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_server.py
* first bug:
    * request file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request1
    * response file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response1
* second bug:
    * request file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request2
    * response file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response2
* third bug:
    * request file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request3
    * response file: https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response3

Thanks,
P1n9

More information about the Dnsmasq-discuss mailing list