[Dnsmasq-discuss] dnsmasq returns malformed dns packets when bad dns request or response packet is received

Geert Stappers stappers at stappers.nl
Sat Dec 3 20:51:02 UTC 2022 

On Fri, Nov 18, 2022 at 07:57:58PM +0800, 黄泸明 via Dnsmasq-discuss wrote:
> Hi,

Hello,

 
> Description:1、When dnsmasq received malformed dns request packets as
> a DNS forwarder, it forwards the packets to the upstream name server
> without proper verification.2、When the DNS forwarder iteratively
> queries the malicious domain name server, it returns some malformed
> dns packets, and dnsmasq returns the packet to the client without
> proper verification, which will give the user a distrust or malicious
> data. Other authoritative dns servers have done correct verification.
> 
> Steps to reproduce:
> 
> 1、Turn on a fake upstream name server, it will only change the
> flag of the received DNS packet to 0x8180 and return it to the packet
> sender(dnsmasq).
> You can do the above by the python script:
> https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/dns_server.py
> Download it and run like this:
> python3 dns_server.py 53532、start dnsmasq. The configuration options are as follows:
> ```
> port=5353
> no-daemon
> no-resolv
> server = 127.0.0.1
> bind-interfaces
> no-hosts
> 
> ```
> 3、Send the corresponding dns request, the specific construction
> method of the dns request packet is as follows:
> Set the the fifth 4-bytes to 0x00e3(or other numbers except 0x0000),
> which represents the number of Authority RRs is 0x00e3, and set the
> authoritative nameservers section to empty.
> You can do the above by these two files:https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/dns_request.py
> https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/request
> Download them and run like this:
> python3 dns_request.py request 5353
> Then the fake upstream name server will show this:UDP: Received 32 bytes from ('127.0.0.1', 44486)
> 0000  DE 0C 01 00 00 01 00 00 00 E3 00 00 06 63 65 72    .............cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> UDP: Sending 32 bytes to ('127.0.0.1', 44486)
> 0000  DE 0C 81 80 00 01 00 00 00 E3 00 00 06 63 65 72    .............cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> UDP: Done
> 
> We can find that dnsmasq don't find the request packet is malformed
> and  it forward it to the fake upstream name server.
> Then the client will show this:Sending DNS query to 127.0.0.1:5353
> DNS query data:
> 0000  31 32 01 00 00 01 00 00 00 E3 00 00 06 63 65 72    12...........cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> Received DNS response from 127.0.0.1:5353
> DNS response data:
> 0000  31 32 81 80 00 01 00 00 00 E3 00 00 06 63 65 72    12...........cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> We can find that dnsmasq return a malformed dns packet to the
> client. The flag and the Authority RRs is not changed.
> 
> In contrast, Bind(a DNS resolver like Unbound) resturns the correctly
> formatted dns packet:Sending DNS query to 127.0.0.1:7777
> DNS query data:
> 0000  31 32 01 00 00 01 00 00 00 E3 00 00 06 63 65 72    12...........cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> Received DNS response from 127.0.0.1:7777
> DNS response data:
> 0000  31 32 81 01 00 01 00 00 00 00 00 00 06 63 65 72    12...........cer
> 0010  74 30 31 07 65 78 61 6D 70 6C 65 00 00 25 00 01    t01.example..%..
> 
> Thanks
> 
> M1ngkvv1ndZhejiang University

That was sent while thread https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016687.html
was going on. In https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016749.html
is "That should cover both the examples above."

Unknown to me is if the above example is covered.

Thing that I do know is that the "response" was not announced.
( there is https://643684107.oss-cn-beijing.aliyuncs.com/dnsmasq/request )

If the response is ever published, I do hope that it is for
"cert04.example" and the request has also "cert04".  Idea behind it is
making it possible to make 1 ldns-testns-datafile for several requests.
That ldns-testns can match / respond to distinctive certNN.example requests.


Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list