On Sun, Nov 13, 2022 at 10:23:55AM +0800, zhangJiangyu via Dnsmasq-discuss wrote: > On Sat, Nov 12, 2022 at 04:15:38PM +0800, Geert Stappers via Dnsmasq-discuss > wrote: > > On Sat, Nov 12, 2022 at 10:30:09AM +0800, ZhangJiangyu 张江瑜 via > > Dnsmasq-discuss wrote: > > > Hi, > > > > > > Description > > > > > > When the DNS forwarder iteratively queries the malicious domain name > > > server, it returns some malformed dns packets, and dnsmasq returns the > > > packet to the client without proper verification, which will give the > > > user a distrust or malicious data. Other authoritative dns servers > > > have done correct verification. there are three bugs below, you can > > > start a fake domain name server locally and return specific data. > > > > > > Steps to reproduce > > > > > > 1、Turn on a fake name server and return a specific payload. > > > How? > > You need a few steps to reproduce: > > * Run the command (sudo python3 dns_server.py "response filename > path") to listen on port 53. This will start a fake dns server, > receive the request, and return the result. > * Start the dnsmasq software to listen on port 5353. > * The configuration file is as follows: > "port=5353 > no-daemon > no-resolv > server = 127.0.0.1 server = 127.0.0.1#53531
See below for why > bind-interfaces > no-hosts" > * Run the command (./dnsmasq -C ./dnsmasq.conf) to start the dnsmasq. > * Run the command (python3 dns_request.py "request filename path" > 5353) to send the request, dnsmasq will forward the request to our > fake dns server, return the message and then return it to the client. > * Analyze the message returned to the client, you will find that > there is a problem with the message, and the correct verification > is not done. > > Next, I will give the download link of the corresponding python > script, request file and response file, which can be reproduced after > downloading. > > * dns_server.py > * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_server.py } import os } import sys } import socket } import struct } import threading } } def done(sock): } try: } sock.shutdown(socket.SHUT_RDWR) } sock.close() } except Exception as e: } pass } } # The UDP server is contacted first } def udp_server(name): } sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) } sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) } server_address = '0.0.0.0' } server_port = 53 server_port = 53531 # avoid conflict with existing DNS } } sock.bind((server_address, server_port)) } while True: } try: } recvd, client_address = sock.recvfrom(65535) } } print(recvd) } } inputfile = name } data = None } with open(inputfile, 'rb') as f: } data = f.read() } data = data[4:] } data = data[2:] } } print(recvd[:2] + data) } } if len(recvd) > 2: } sent = sock.sendto(recvd[:2] + data, client_address) } except Exception as e: } pass } } done(sock) } } def main(): } global stop_server } } stop_server = False } } # Sets up one server on UDP port 53 } udp_server(sys.argv[1]) } } os._exit(0) } } } if __name__ == '__main__': } main() > * dns_request.py > * https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_request.py > * first bug: > * request file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request1 > * response file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response1 > * second bug: > * request file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request2 > * response file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response2 > * third bug: > * request file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request3 > * response file: > https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response3 > This worked for me: wget https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_server.py wget https://643684107.oss-cn-beijing.aliyuncs.com/dns/dns_request.py wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request1 wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request2 wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/request3 wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response3 wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response2 wget https://qu-hexo-static.oss-cn-hangzhou.aliyuncs.com/ping/response1 Upon "run" I get something like: | $ python3 dns_request.py request3 5353 | b'12\x81\x80\x00\x01\x02\x00\x01\x06cert01\x07example...\x03ns2\xc0\x13' | $ The how to reproduce question is answered. Thanks. However I don't understand the problem. What I think what would help for getting more attention to the "problem", is having a `request0` and `response0` that is a valid / known good CERT query. With `host -p 5353 -t CERT cert01.example.com 127.0.0.1` or `dig @127.0.0.1 -p 5353 -t CERT cert01.example.com` being a replacement for the `python3 dns_request.py request0 5353`. Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss