[Dnsmasq-discuss] dnsmasq mishandles some cases when bad dns response packet is received

Wed Nov 23 11:56:08 UTC 2022

On Tue, Nov 22, 2022 at 09:42:28PM +0100, Petr Menšík wrote:
> On 19. 11. 22 0:12, Geert Stappers via Dnsmasq-discuss wrote:
> > On Wed, Nov 16, 2022 at 11:15:08AM +0800, zhangjiangyu via Dnsmasq-discuss wrote:
> > > On Mon, Nov 15, 2022 at 8:15:00PM +0800, Petr Menšík wrote:
> > > > > ...
> > > > But I admit we should add at least the most obvious checks. Would you
> > > > please make the responses in ldns-testns server format, so it would
> > > > be easier to test it? It allows also encoding the body in hex format, so
> > > > invalid responses are broken as well. It would be easier to test the bad
> > > > behaviour and prepare fixes for them. Are those links leading to DNS in
> > > > wire format? It would be simpler to read if pcap with them were used,
> > > > wireshark would visualise those responses well.
> > > 
> > >  ...
> > > 
> > > For ldns-testns, I don't know how to construct the corresponding data format,
> > A working example,  also attached
> > -----8<----8<------8<------------
> > ; ldns-testns data file
> > ;
         ....
> > SECTION QUESTION
> > cert00.example IN A
> > HEX_ANSWER_BEGIN
> >    a5 d5 85 80 00 01 00 01 00 00 00 01
> >    06 63 65 72 74 30 30     ; cert00
> >    07 65 78 61 6d 70 6c 65  ; example
> >    00 00 01 00 01 c0 0c 00 01 00 01 00 01 51 80 00 04
> >    c0 00 02 60  ; 192.0.2.96
> >    00 00 29 04 d0 00 00 00 00 00 1c 00
> >    0a 00 18 fc 1c f8 16 de 56 60 db 01 00 00 00 63
> >    71 51 9c a7 41 c7 90 7b 7a 87 c4
> > HEX_ANSWER_END
> > ENTRY_END
> > 
> > ;
> > ; Visit https://www.nlnetlabs.nl/documentation/ldns/index.html
> > ; for more information about 'ldns'.  It is the project that provides
> > ; the `ldns-testns` executable.
> > ;
> > ; l l
> > -----8<----8<------8<------------
> > 
> > > so I can only provide complete dns request and response messages.
> >    ;-)
> > 
> Created ldns-testns files for all queries. Also contains their body
> responses parsed by dig tool on that.

Thanks, they are added
to https://git.sr.ht/~stappers/cert_check_by_dnsmasq

However: Not yet verified.

When I have seen them working, there will be an attempt to merge to
files into a single ldns-testns-data file. So testing a next request can
be done without the need for stopping ldns-testns and restarting it with
a next response file. It will imply that requests need to differ. The
idea is changing 'cert01.example' in request2 and response2 into
'cert02.example', for request3 and response3 into 'cert03.example'. 

> Interesting cases, but I am not sure how much should dnsmasq validate those
> responses.  Most of these responses is valid DNS responses. Sure, not what
> client expected or needed, but I doubt we can make reasonable filter on
> dnsmasq side.

In https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016721.html
is it being discussed.

Groeten
Geert Stappers
-- 
Silence is hard to parse