You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When spoofing NXDOMAINs from a lua rule in dnsdist, the flags and EDNS options from the query blindly get echoed in the response completely, which is bad.
newServer('8.8.8.8')
function luarule(dq) if (dq.qtype==dnsdist.NAPTR) then return DNSAction.Nxdomain, "" else return DNSAction.Allow, "" end end
addLuaAction(AllRule(), luarule)
Note the CLIENT-SUBNET, COOKIE and OPT lines. Also note that the flags: have been copied verbatim. Sending +noad' will remove ad from the answer. Same for +norec and rd, etc.
The text was updated successfully, but these errors were encountered:
I've been trying to figure out how to best fix this. I could either remove the entire OPT record, just unset all flags and options, or just unset specific options and flags. The first two options might have unwanted side effects, and the last option might become alot of work to maintain. It might be better to allow you to specify what flags and options to set somehow, however for example the DO-bit needs to be influenced by the query.
Short description
When spoofing NXDOMAINs from a lua rule in dnsdist, the flags and EDNS options from the query blindly get echoed in the response completely, which is bad.
Environment
Steps to reproduce
[sudo] ./dnsdist -C dnsdist.conf
dig nu.nl @127.0.0.1 -t naptr +subnet=65.66.67.68/20 +ednsopt=512:6563686f21206563686f21
Expected behaviour
Actual behaviour
Note the CLIENT-SUBNET, COOKIE and OPT lines. Also note that the
flags:
have been copied verbatim. Sending+noad
' will removead
from the answer. Same for+norec
andrd
, etc.The text was updated successfully, but these errors were encountered: