[dns-operations] Spoofing DNS with fragments

Mark Andrews marka at isc.org
Fri Sep 14 03:13:43 UTC 2018 

Sampling these show the additional count being set to 1 but no
additional record being present.  Anyone know which implementation
needs to be fixed?

Mark

13:05:27.623488 IP 172.30.42.67.57359 > 194.0.1.17.53: 16192 [1au] SOA? mo. (92)
	0x0000:  4500 0078 5893 0000 4011 886f ac1e 2a43  E..xX... at ..o..*C
	0x0010:  c200 0111 e00f 0035 0064 ff3e 3f40 0000  .......5.d.>?@..
	0x0020:  0001 0000 0000 0001 026d 6f00 0006 0001  .........mo.....
	0x0030:  0000 fa00 ff00 0000 0000 3d0b 686d 6163  ..........=.hmac
	0x0040:  2d73 6861 3235 3600 0000 5b9b 2577 012c  -sha256...[.%w.,
	0x0050:  0020 3696 edaa d714 fc21 46e5 b2f6 54b9  ..6......!F...T.
	0x0060:  ae56 6558 1963 ab44 bcba 6c6e f23a b8e3  .VeX.c.D..ln.:..
	0x0070:  2346 3f40 0000 0000                      #F?@....
13:05:27.675422 IP 194.0.1.17.53 > 172.30.42.67.57359: 16192*- 1/0/1 SOA (69)
	0x0000:  4500 0061 aaca 4000 3611 004f c200 0111  E..a.. at .6..O....
	0x0010:  ac1e 2a43 0035 e00f 004d 23e1 3f40 8400  ..*C.5...M#.?@..
	0x0020:  0001 0001 0000 0001 026d 6f00 0006 0001  .........mo.....
	0x0030:  c00c 0006 0001 0000 0e10 0025 026d 6f00  ...........%.mo.
	0x0040:  0864 6e73 6164 6d69 6e02 6d6f 005b 9b23  .dnsadmin.mo.[.#
	0x0050:  0600 000e 1000 0003 8400 0697 8000 000e  ................
	0x0060:  10                                       .

% dig mo. @194.0.1.17 soa -y hmac-sha256:.:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= +noedns +noad +norec
;; Warning: Message parser reports malformed message packet.
;; Couldn't verify signature: expected a TSIG or SIG(0)

; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> mo. @194.0.1.17 soa -y hmac-sha256:.:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= +noedns +noad +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16192
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mo.				IN	SOA

;; ANSWER SECTION:
mo.			3600	IN	SOA	mo. dnsadmin.mo. 1536893702 3600 900 432000 3600

;; Query time: 52 msec
;; SERVER: 194.0.1.17#53(194.0.1.17)
;; WHEN: Fri Sep 14 13:05:27 AEST 2018
;; MSG SIZE  rcvd: 69
;; WARNING -- Some TSIG could not be validated

%

ac. @194.0.1.1 (ns-a1.ac.): dns=ok dnswkk=malformed
ac. @2001:678:4::1 (ns-a1.ac.): dns=ok dnswkk=malformed
ac. @74.116.178.1 (ns-a3.ac.): dns=ok dnswkk=malformed
am. @194.0.1.26 (ns-cdn.amnic.net.): dns=ok dnswkk=malformed
am. @2001:678:4::1a (ns-cdn.amnic.net.): dns=ok dnswkk=malformed
be. @194.0.1.10 (x.ns.dns.be.): dns=ok dnswkk=malformed
be. @2001:678:4::a (x.ns.dns.be.): dns=ok dnswkk=malformed
bn. @194.0.1.33 (ns1.bnnic.bn.): dns=ok dnswkk=malformed
brussels. @194.0.1.10 (x.nic.brussels.): dns=ok dnswkk=malformed
brussels. @2001:678:4::a (x.nic.brussels.): dns=ok dnswkk=malformed
bs. @194.0.1.36 (ns36.cdns.net.): dns=ok dnswkk=malformed
bs. @2001:678:4::24 (ns36.cdns.net.): dns=ok dnswkk=malformed
ch. @194.0.1.40 (g.nic.ch.): dns=ok dnswkk=malformed
ch. @2001:678:4::28 (g.nic.ch.): dns=ok dnswkk=malformed
dm. @194.0.1.34 (ns34.cdns.net.): dns=ok dnswkk=malformed
dm. @2001:678:4::22 (ns34.cdns.net.): dns=ok dnswkk=malformed
fi. @194.0.1.14 (e.fi.): dns=ok dnswkk=malformed
fi. @2001:678:4::e (e.fi.): dns=ok dnswkk=malformed
gr. @194.0.1.25 (gr-c.ics.forth.gr.): dns=ok dnswkk=malformed
gr. @2001:678:4::19 (gr-c.ics.forth.gr.): dns=ok dnswkk=malformed
hu. @194.0.1.12 (ns-com.nic.hu.): dns=ok dnswkk=malformed
hu. @2001:678:4::c (ns-com.nic.hu.): dns=ok dnswkk=malformed
io. @194.0.1.1 (ns-a1.io.): dns=ok dnswkk=malformed
io. @2001:678:4::1 (ns-a1.io.): dns=ok dnswkk=malformed
io. @74.116.178.1 (ns-a3.io.): dns=ok dnswkk=malformed
li. @194.0.1.40 (g.nic.li.): dns=ok dnswkk=malformed
li. @2001:678:4::28 (g.nic.li.): dns=ok dnswkk=malformed
lt. @194.0.1.4 (c.tld.lt.): dns=ok dnswkk=malformed
lt. @2001:678:4::4 (c.tld.lt.): dns=ok dnswkk=malformed
lu. @194.0.1.13 (k.dns.lu.): dns=ok dnswkk=malformed
lu. @2001:678:4::d (k.dns.lu.): dns=ok dnswkk=malformed
lv. @194.0.1.24 (c.nic.lv.): dns=ok dnswkk=malformed
lv. @2001:678:4::18 (c.nic.lv.): dns=ok dnswkk=malformed
mo. @194.0.1.17 (ns17.cdns.net.): dns=ok dnswkk=malformed
mo. @2001:678:4::11 (ns17.cdns.net.): dns=ok dnswkk=malformed
my. @194.0.1.30 (ns30.cdns.net.): dns=ok dnswkk=malformed
my. @2001:678:4::1e (ns30.cdns.net.): dns=ok dnswkk=malformed
ng. @194.0.1.29 (ns1.nic.net.ng.): dns=ok dnswkk=malformed
ng. @2001:678:4::1d (ns1.nic.net.ng.): dns=ok dnswkk=malformed
ph. @194.0.1.23 (ph.communitydns.net.): dns=ok dnswkk=malformed
ph. @2001:678:4::17 (ph.communitydns.net.): dns=ok dnswkk=malformed
pl. @194.0.1.2 (h-dns.pl.): dns=ok dnswkk=malformed
pl. @2001:678:4::2 (h-dns.pl.): dns=ok dnswkk=malformed
scb. @194.0.1.35 (c.nic.scb.): dns=ok dnswkk=malformed
scb. @2001:678:4::23 (c.nic.scb.): dns=ok dnswkk=malformed
sh. @194.0.1.1 (ns-a1.sh.): dns=ok dnswkk=malformed
sh. @2001:678:4::1 (ns-a1.sh.): dns=ok dnswkk=malformed
sh. @74.116.178.1 (ns-a3.sh.): dns=ok dnswkk=malformed
si. @194.0.1.20 (g.dns.si.): dns=ok dnswkk=malformed
si. @2001:678:4::14 (g.dns.si.): dns=ok dnswkk=malformed
th. @194.0.1.28 (c.thains.co.th.): dns=ok dnswkk=malformed
th. @2001:678:4::1c (c.thains.co.th.): dns=ok dnswkk=malformed
tm. @194.0.1.22 (ns-a1.tm.): dns=ok dnswkk=malformed
tm. @2001:678:4::16 (ns-a1.tm.): dns=ok dnswkk=malformed
tm. @194.0.2.22 (ns-a2.tm.): dns=ok dnswkk=malformed
tm. @2001:678:5::16 (ns-a2.tm.): dns=ok dnswkk=malformed
tm. @74.116.178.22 (ns-a3.tm.): dns=ok dnswkk=malformed
tm. @74.116.179.22 (ns-a4.tm.): dns=ok dnswkk=malformed
ua. @194.0.1.9 (cd1.ns.ua.): dns=ok dnswkk=malformed
ua. @2001:678:4::9 (cd1.ns.ua.): dns=ok dnswkk=malformed
vlaanderen. @194.0.1.10 (x.nic.vlaanderen.): dns=ok dnswkk=malformed
vlaanderen. @2001:678:4::a (x.nic.vlaanderen.): dns=ok dnswkk=malformed
vn. @194.0.1.18 (a.dns-servers.vn.): dns=ok dnswkk=malformed
vn. @2001:678:4::12 (a.dns-servers.vn.): dns=ok dnswkk=malformed
xn--fzc2c9e2c. @194.0.1.27 (lk.communitydns.net.): dns=ok dnswkk=malformed
xn--fzc2c9e2c. @2001:678:4::1b (lk.communitydns.net.): dns=ok dnswkk=malformed
xn--mgbx4cd0ab. @194.0.1.30 (ns30.cdns.net.): dns=ok dnswkk=malformed
xn--mgbx4cd0ab. @2001:678:4::1e (ns30.cdns.net.): dns=ok dnswkk=malformed
xn--mix891f. @194.0.1.17 (ns17.cdns.net.): dns=ok dnswkk=malformed
xn--mix891f. @2001:678:4::11 (ns17.cdns.net.): dns=ok dnswkk=malformed
xn--qxam. @194.0.1.25 (gr-c.ics.forth.gr.): dns=ok dnswkk=malformed
xn--qxam. @2001:678:4::19 (gr-c.ics.forth.gr.): dns=ok dnswkk=malformed
xn--xkc2al3hye2a. @194.0.1.27 (lk.communitydns.net.): dns=ok dnswkk=malformed
xn--xkc2al3hye2a. @2001:678:4::1b (lk.communitydns.net.): dns=ok dnswkk=malformed
xn--y9a3aq. @194.0.1.26 (ns-cdn.amnic.net.): dns=ok dnswkk=malformed
xn--y9a3aq. @2001:678:4::1a (ns-cdn.amnic.net.): dns=ok dnswkk=malformed

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list