On Sun, Nov 13, 2022 at 10:23:55AM +0800, zhangJiangyu via Dnsmasq-discuss
wrote:
> On Sat, Nov 12, 2022 at 04:15:38PM +0800, Geert Stappers via Dnsmasq-discuss
> wrote:
> > On Sat, Nov 12, 2022 at 10:30:09AM +0800, ZhangJiangyu 张江瑜 via
> > Dnsmasq-discuss wrote:
> > > Hi,
> > >
> > > Description
> > >
> > > When the DNS forwarder iteratively queries the malicious domain name
> > > server, it returns some malformed dns packets, and dnsmasq returns the
> > > packet to the client without proper verification, which will give the
> > > user a distrust or malicious data. Other authoritative dns servers
> > > have done correct verification. there are three bugs below, you can
> > > start a fake domain name server locally and return specific data.
> > >
> > > Steps to reproduce
> > >
> > > 1、Turn on a fake name server and return a specific payload.
>
> > How?
>
> You need a few steps to reproduce:
>
> * Run the command (sudo python3 dns_server.py "response filename
> path") to listen on port 53. This will start a fake dns server,
> receive the request, and return the result.
> * Start the dnsmasq software to listen on port 5353.
> * The configuration file is as follows:
> "port=5353
> no-daemon
> no-resolv
> server = 127.0.0.1
server = 127.0.0.1#53531
See below for why
> bind-interfaces
> no-hosts"
> * Run the command (./dnsmasq -C ./dnsmasq.conf) to start the dnsmasq.
> * Run the command (python3 dns_request.py "request filename path"
> 5353) to send the request, dnsmasq will forward the request to our
> fake dns server, return the message and then return it to the client.
> * Analyze the message returned to the client, you will find that
> there is a problem with the message, and the correct verification
> is not done.
>
> Next, I will give the download link of the corresponding python
> script, request file and response file, which can be reproduced after
> downloading.
>
> * dns_server.py
> * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_server.py
} import os
} import sys
} import socket
} import struct
} import threading
}
} def done(sock):
} try:
} sock.shutdown(socket.SHUT_RDWR)
} sock.close()
} except Exception as e:
} pass
}
} # The UDP server is contacted first
} def udp_server(name):
} sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
} sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
} server_address = '0.0.0.0'
} server_port = 53
server_port = 53531 # avoid conflict with existing DNS
}
} sock.bind((server_address, server_port))
} while True:
} try:
} recvd, client_address = sock.recvfrom(65535)
}
} print(recvd)
}
} inputfile = name
} data = None
} with open(inputfile, 'rb') as f:
} data = f.read()
} data = data[4:]
} data = data[2:]
}
} print(recvd[:2] + data)
}
} if len(recvd) > 2:
} sent = sock.sendto(recvd[:2] + data, client_address)
} except Exception as e:
} pass
}
} done(sock)
}
} def main():
} global stop_server
}
} stop_server = False
}
} # Sets up one server on UDP port 53
} udp_server(sys.argv[1])
}
} os._exit(0)
}
}
} if __name__ == '__main__':
} main()
> * dns_request.py
> * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_request.py
> * first bug:
> * request file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request1
> * response file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response1
> * second bug:
> * request file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request2
> * response file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response2
> * third bug:
> * request file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request3
> * response file:
> https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response3
>
This worked for me:
wget https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_server.py
wget https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_request.py
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request1
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request2
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request3
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response3
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response2
wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response1
Upon "run" I get something like:
| $ python3 dns_request.py request3 5353
| b'12\x81\x80\x00\x01\x02\x00\x01\x06cert01\x07example...\x03ns2\xc0\x13'
| $
The how to reproduce question is answered. Thanks.
However I don't understand the problem.
What I think what would help for getting more attention to the "problem",
is having a `request0` and `response0` that is a valid / known good
CERT query. With `host -p 5353 -t CERT cert01.example.com 127.0.0.1`
or `dig @127.0.0.1 -p 5353 -t CERT cert01.example.com` being a replacement
for the `python3 dns_request.py request0 5353`.
Groeten
Geert Stappers
--
Silence is hard to parse
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
