Client does not validate DNS transaction id

[daniel4x]

Hi,

dnslib client does not validate DNS transaction id (TXID) as specified in the RFC.
This considered as implementation bug. Attackers can use this to redirect users to their malicious name servers.
I know the client created for testing but other projects using dnslib as a dependency might be affected as well.

I suggest to add a simple validate:

#... request code
a_pkt = q.send(address,port,tcp=args.tcp)
a = DNSRecord.parse(a_pkt)

if q.header.id != a.header.id:
    raise DNSError('Response transaction id does not match query transaction id')

[carnil]

This issue appears to have been assigned a CVE, CVE-2022-22846.

[paulc]

Thanks - as you note client.py is for testing but should clearly check TXIDs. I've also added a note in the README to ensure that TXID is validated. I've updated and released a new version on PyPi.

The CVE seems a bit ridiculous - sounds like someone just generating random CVEs to look good on a resume (it isn't actually accurate as it is not a library function - dnslib just parses the packets)