[Dnsmasq-discuss] dnsmasq mishandles some cases when bad dns response packet is received

Geert Stappers stappers at stappers.nl
Sat Dec 3 22:38:21 UTC 2022 

On Mon, Nov 14, 2022 at 02:36:46PM +0100, Geert Stappers via Dnsmasq-discuss wrote:
> On Mon, Nov 14, 2022 at 11:15:13AM +0800, zhangjiangyu via Dnsmasq-discuss wrote:
> > On Sun, Nov 13, 2022 at 9:15:43PM +0800, Geert Stappers via Dnsmasq-discuss wrote:
> > > 
> > > What I think what would help for getting more attention to the "problem",
> > > is having a `request0` and `response0` that is a valid / known good
> > > CERT query. 
> > 
> > Hi,
> > 
> > The original valid response is like this:
> > |HEADER
> > |31  32  81  80  00  01  00  01  00  02  00  01
> > |
> > |QUESTION
> > |06  63  65  72  74  30  31  07  65  78  61  6d  70  6c  65  00 00  25 00  01
> > |
> > |ANSWER
> > |c0  0c  00  25  00  01  00  00  00  00  00  55  
> > |        ff  fe  ff  ff  fe  33  11  5c  6f  2f  64  ff  2b  de  74  c7
> > |        d0  80  ac  e1  1f  97  ab  d0  cb  bf  bc  82  f3  e3  92  24
> > |        b2  47  1e  14  68  22  58  29  ff  1b  11  e1  6a  2e  95  02
> > |        e1  c0  a0  d5  33  e1  8a  14  d6  d5  5f  48  24  aa  41  89
> > |        fa  ff  fd  75  53  a3  65  77  cd  23  11  e0  bc  69  3a  ce
> > |        f8  a2  a6  09  a6
> > |
> > |AUTHORITY
> > |c0  13  00  02  00  01  00  00  00  00  00 06  
> > |        03  6e  73  34  c0  13
> > |
> > |c0  13  00  02  00  01  00  00  00  00  00  06  
> > |        03  6e  73  32  c0  13
> > |
> > |ADDITIONAL
> > |00  00  29  10  00  00  00 00  00  00  00
> > Here is the download link for the valid message:
> > * request0 file: https://643684107.oss-cn-beijing.aliyuncs.com/dns/request0
> > * response0 file: https://643684107.oss-cn-beijing.aliyuncs.com/dns/response0
> 
> Downloaded and added to public git repository https://git.sr.ht/~stappers/cert_check_by_dnsmasq
>  ( Do `git clone https://git.sr.ht/~stappers/cert_check_by_dnsmasq` for getting a clone of it. )
> 
> 
> > It can be found by comparison. 
> 
> What I noticed is that dnsmasq, version 2.87 as in Debian, did not
> return response0 when request0 was asked.

Because the length prefix.


> The request-response-combos 1, 2 and 3 did work with the same dnsmasq.

Those combos had four bytes of length information at the beginning
of the file. And the Pyton scripts expect that those four are present.

> I shall retry with most recent dnsmasq. (Next action for this is for me.)
> 
> 
> > * For the first bug, The class value of answer record returned by
> >   response1 is wrong, but it is accepted by dnsmasq and returned to
> >   the client. Any modification of the answer record's class value is
> >   acceptable. The rcode of the dnsmasq returned packet is 0.
> > * For the second bug, The domain name compression pointer of answer
> >   record returned by response1 is wrong. The query domain name does
> >   not match the answer domain name. The rcode of the dnsmasq returned
> >   packet is 0.
> > * For the third bug, When the DNS packet returned by the domain name
> >   server has redundant data, it is not detected. The rcode of the
> >   dnsmasq returned packet is 0.
> 
> That information will I add to the above mentioned git repository.
 
Done (a while ago  (I might have report it already))
 
> > For these problems, other open source dns software has done correct
> > verification and returned to the client the message with rcode 2 or 3.
> 
> Yes.  Meanwhile I do understand what is being reported. It is the
> reason why I named the git repo  "cert check by dnsmasq".
> 
>  
> > > With `host -p 5353 -t CERT cert01.example.com 127.0.0.1`
> > > or `dig @127.0.0.1 -p 5353 -t CERT cert01.example.com` being a replacement
> > > for the `python3 dns_request.py request0 5353`.
> > 
> > For this, I use the python code to receive the message forwarded to
> > the client for analysis.
> 
> Not sure if I did get that. Thing is that I now get why there
> is `dns_request.py` insteadof `dig` / `host`.  Having build a 'requestA'
> plus 'responseA', doing `dig @127.0.0.1 -t A -p 53530 cert01.example.com`
> and seeing 'bad' in
>   ; COOKIE: fc1cf816de5660db010000006371519ca741c7907b7a87c4 (bad)
> got me understand it.
> 
> 
> Groeten
> Geert Stappers
> 
> 
> P.S.
> 
> After doing
> 
>    git clone https://git.sr.ht/~stappers/cert_check_by_dnsmasq
>    cd cert_check_by_dnsmasq
> 
> I recomment doing `git log --reverse` do read how it evolved.

Update version  (-:

    git pull
    git log --reverse --since 2022-11-14
  

Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list