[Dnsmasq-discuss] dnsmasq mishandles some cases when bad dns response packet is received

Fri, 11 Nov 2022 18:47:26 -0800 

Hi,

Description

When the DNS forwarder iteratively queries the malicious domain name server, it 
returns some malformed dns packets, and dnsmasq returns the packet to the 
client without proper verification, which will give the user a distrust or 
malicious data.  Other authoritative dns servers have done correct 
verification.  there are three bugs below, you can start a fake domain name 
server locally and return specific data.

Steps to reproduce

1、Turn on a fake name server and return a specific payload.
2、start dnsmasq. The configuration options are as follows:
```python


port=53
no-daemon
no-resolv
server = 127.0.0.1
bind-interfaces
no-hosts

```

3、Send the corresponding dns request.





First bug


When the query class type is 0x01, the returned answer type is the wrong class 
name in the answer, which can be forwarded to the client. The wrong class type 
includes 0xdf01, 0x2001, 0x4001, 0x0801, 0x1001, 0x0401, 0x0201, 0x0101, 
0x0081, 0x0041, 0x0021, 0x0011, 0x0009, 0x0005, 0x0003, 0x0000etc. The rcode of 
the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,knot-resolver,pdns all return the response packets with rcode 2.

Reproduce data:
The first four bytes are the length.
request1
response1

Second bug

When there is an error in the domain name of the answer record, dnsmasq returns 
bad packets to the client. The rcode of the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,  pdns all return the response packets with rcode 2. knot-resolver 
return the response packets with rcode 3.

Reproduce data:
The first four bytes are the length.
request2
response2

Third bug

When the DNS packet returned by the domain name server has redundant data, it 
is not detected. The rcode of the dnsmasq returned packet is 0.

Expected/Actual behavior:

bind,maradns,  pdns all return the response packets with rcode 2. knot-resolver 
return the response packets with rcode 3.

Reproduce data:
The first four bytes are the length.
request3


response3




Thanks

P1n9

Zhejiang University
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to