Fix broken DNS native_server

[smashery]

This fixes two bugs in the auxiliary/server/dns/native_server module:

• It would immediately crash upon receiving any request
• Once that was fixed, if a request contained two queries, but only one was served from the cache and another from upstream, they were combined into the question field of the reply, not the answer.

Demo of the first issue (send any DNS request to the server):

msf6 > use auxiliary/server/dns/native_server                                                                      
msf6 auxiliary(server/dns/native_server) > set srvhost 0.0.0.0                                                     
srvhost => 0.0.0.0                                                                                                                                                                                                                   
msf6 auxiliary(server/dns/native_server) > set static_entries "1.2.3.4 example.com"                                
static_entries => 1.2.3.4 example.com              
msf6 auxiliary(server/dns/native_server) > run                                                                    
                                                                                                                  
[-] Auxiliary failed: NoMethodError undefined method `data' for #<Dnsruby::Message:0x000055d763109448>
[-] Call stack:                                                                                                   
[-]   /home/smash/git/metasploit-framework/lib/rex/proto/dns/resolver.rb:136:in `send'
[-]   /home/smash/git/metasploit-framework/modules/auxiliary/server/dns/native_server.rb:80:in `on_dispatch_request'
[-]   /home/smash/git/metasploit-framework/lib/msf/core/exploit/remote/dns/server.rb:118:in `block in start_service'
[-]   /home/smash/git/metasploit-framework/lib/rex/proto/dns/server.rb:273:in `dispatch_request'
[-]   /home/smash/git/metasploit-framework/lib/rex/proto/dns/server.rb:349:in `monitor_listener'
[-]   /home/smash/git/metasploit-framework/lib/rex/proto/dns/server.rb:230:in `block in start'
[-]   /home/smash/git/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
[-]   /home/smash/git/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[-]   /var/lib/gems/2.7.0/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

To my reading, this code will always work with a DnsRuby object (which expects the :encode method), not a Net::DNS object (which expects the :data method). If a Net::DNS object is passed in, for instance, it will be converted to a DnsRuby object first.

The second issue I just saw directly when reviewing the code; it seems that a copy paste error occurred in this change:

smashery@c65c037#diff-eccd9746aa08a91a52512ad5b324483719011ba6627693e7bee8323d8eadcc2eL84-R86

It's probably a super rare situation... to be honest, I can't even figure out how to test it without pulling out scapy or something.

[smcintyre-r7]

I went to test this and I was not able to reproduce the original issue. With STATIC_ENTRIES set, as in your description, the module seems to be working for me on the master branch. I'm wondering if for some reason my instance using using Net::Dns while you're using Dnsruby or vice versa.

[smcintyre-r7]

I was able to confirm that the native server module is now working!

Testing Output

msf6 auxiliary(gather/enum_dns) > use auxiliary/server/dns/native_server 
msf6 auxiliary(server/dns/native_server) > show options 

Module options (auxiliary/server/dns/native_server):

   Name              Current Setting      Required  Description
   ----              ---------------      --------  -----------
   DISABLE_NS_CACHE  false                no        Disable DNS response caching
   DISABLE_RESOLVER  false                no        Disable DNS request forwarding
   DOMAIN                                 no        The target domain name
   NS                                     no        Specify the nameservers to use for queries, space separated
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
   RPORT             53                   yes       The target port (TCP)
   SEARCHLIST                             no        DNS domain search list, comma separated
   SRVHOST           192.168.159.128      yes       The local host or network interface to listen on. This must be
                                                    an address on the local machine or 0.0.0.0 to listen on all add
                                                    resses.
   SRVPORT           53                   yes       The local port to listen on.
   STATIC_ENTRIES    1.2.3.4 example.com  no        DNS domain search list (hosts file or space/semicolon separate
                                                    entries)
   THREADS           1                    yes       Number of threads to use in threaded queries


Auxiliary action:

   Name     Description
   ----     -----------
   Service  Serve DNS entries


msf6 auxiliary(server/dns/native_server) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/dns/native_server) > dig example.com @192.168.159.128
[*] exec: dig example.com @192.168.159.128


; <<>> DiG 9.16.24-RH <<>> example.com @192.168.159.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37299
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		0	IN	A	1.2.3.4

;; Query time: 2 msec
;; SERVER: 192.168.159.128#53(192.168.159.128)
;; WHEN: Tue Mar 15 09:04:34 EDT 2022
;; MSG SIZE  rcvd: 45

msf6 auxiliary(server/dns/native_server) >

[smcintyre-r7]

Release Notes

This fixes an issue in the DNS native server module where the server would crash upon receiving a query.