Skip to content

/ pdns

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist lua nxdomain spoof echoes flags and EDNS options #6348

Closed
Habbie opened this issue Mar 14, 2018 · 2 comments
Closed

dnsdist lua nxdomain spoof echoes flags and EDNS options #6348

Habbie opened this issue Mar 14, 2018 · 2 comments
Labels
defect dnsdist
Milestone
dnsdist-1.3.x

Comments

@Habbie
Copy link
Member

@Habbie Habbie commented Mar 14, 2018
edited

  • Program: dnsdist
  • Issue type: Bug report

Short description

When spoofing NXDOMAINs from a lua rule in dnsdist, the flags and EDNS options from the query blindly get echoed in the response completely, which is bad.

Environment

  • Operating system:
  • Software version: git master at 385aa46
  • Software source: git

Steps to reproduce

  1. `dnsdist.conf:
newServer('8.8.8.8')
function luarule(dq) if (dq.qtype==dnsdist.NAPTR) then return DNSAction.Nxdomain, "" else return DNSAction.Allow, "" end end
addLuaAction(AllRule(), luarule)
  1. [sudo] ./dnsdist -C dnsdist.conf
  2. dig nu.nl @127.0.0.1 -t naptr +subnet=65.66.67.68/20 +ednsopt=512:6563686f21206563686f21

Expected behaviour

; <<>> DiG 9.11.2 <<>> nu.nl @127.0.0.1 -t naptr +subnet=65.66.67.68/20 +ednsopt=512:6563686f21206563686f21
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14245
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nu.nl.				IN	NAPTR

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 14 21:21:04 CET 2018
;; MSG SIZE  rcvd: 72

Actual behaviour

; <<>> DiG 9.11.2 <<>> nu.nl @127.0.0.1 -t naptr +subnet=65.66.67.68/20 +ednsopt=512:6563686f21206563686f21
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14245
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 65.66.64.0/20/0
; COOKIE: e2faf6c3333ad720 (echoed)
; OPT=512: 65 63 68 6f 21 20 65 63 68 6f 21 ("echo! echo!")
;; QUESTION SECTION:
;nu.nl.				IN	NAPTR

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 14 21:21:04 CET 2018
;; MSG SIZE  rcvd: 72

Note the CLIENT-SUBNET, COOKIE and OPT lines. Also note that the flags: have been copied verbatim. Sending +noad' will remove ad from the answer. Same for +norec and rd, etc.
@Habbie Habbie mentioned this issue Mar 14, 2018
Closed
@Habbie Habbie changed the title dnsdist lua nxdomain spoof echoes EDNS options dnsdist lua nxdomain spoof echoes (EDNS) options Mar 14, 2018
@Habbie Habbie changed the title dnsdist lua nxdomain spoof echoes (EDNS) options dnsdist lua nxdomain spoof echoes flags and EDNS options Mar 14, 2018
@Habbie
Copy link
Member Author

@Habbie Habbie commented Mar 15, 2018

@rgacogne points out that a non-lua RcodeAction should also trigger this issue.
@RobinGeuze
Copy link
Contributor

@RobinGeuze RobinGeuze commented Mar 25, 2018

I've been trying to figure out how to best fix this. I could either remove the entire OPT record, just unset all flags and options, or just unset specific options and flags. The first two options might have unwanted side effects, and the last option might become alot of work to maintain. It might be better to allow you to specify what flags and options to set somehow, however for example the DO-bit needs to be influenced by the query.
@rgacogne rgacogne added this to the dnsdist-1.3.x milestone Apr 21, 2018
@rgacogne rgacogne mentioned this issue Aug 10, 2018
Merged
8 of 9 tasks complete
@Habbie Habbie mentioned this issue Jan 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect dnsdist
Projects
None yet
Milestone
dnsdist-1.3.x
Linked pull requests

Successfully merging a pull request may close this issue.

dnsdist: Set a correct EDNS OPT RR for self-generated answers
3 participants
@Habbie @rgacogne @RobinGeuze