[dns-operations] dnspooq

Yasuhiro Orange Morishita / 森下泰宏 yasuhiro at jprs.co.jp
Thu Jan 21 12:48:14 UTC 2021 

Hi,

> fyi
> https://www.jsof-tech.com/disclosures/dnspooq/

I've read a technical whitepaper of the DNSpooq[*1] from JSOF,
and I have a question about response validation in DNS forwarders.

[*1] DNSpooq - Cache Poisoning and RCE in Popular DNS Forwarder dnsmasq
     <https://www.jsof-tech.com/dnspooq-technical-wp/>

Section 3.4 of the whitepaper describes dnsmasq doesn't perform the
'in-domain' check, and dnsmasq accepts the following answer (and
overwrite an existing cache of www.bank.com) from upstream
full-service resolver.

  ;; ANSWER SECTION:
  www.example.com. IN CNAME www.bank.com.
  www.bank.com.    IN A 6.6.6.6

I know that section 6 of RFC 5452 describes 'in-domain checking'
for full-service resolvers, but I can't find any RFCs describing the
same checking for DNS forwarders...

Moreover, the whitepaper describes this as follows:

  "We acknowledge that this is not a vulnerability per se, and
  moreover is reasonable behavior, though it magnifies the attack and
  similar types of attacks."

Isn't it really a vulnerability?

-- Orange

From: FUSTE Emmanuel <emmanuel.fuste at thalesgroup.com>
Subject: Re: [dns-operations] dnspooq
Date: Thu, 21 Jan 2021 11:29:16 +0000

> Le 21/01/2021 à 12:07, Stephane Bortzmeyer a écrit :
>> On Tue, Jan 19, 2021 at 03:53:04PM +0000,
>>   Roy Arends <roy at dnss.ec> wrote
>>   a message of 7 lines which said:
>>
>>> fyi
>>>
>>> https://www.jsof-tech.com/disclosures/dnspooq/
>> Real vulnerabilities and good technical work but why do they feel the
>> need to add references to the "Internet DNS Architecture" (it is not a
>> DNS problem, purely bugs in an implementation) or to HSTS (what's its
>> relationship with a bug in a DNS program?)?
>>
>> To get more attention?
>>
> Yes I stop reading past this. Very bad editorial choice in my opinion.
> But sadly the modern/actual way of informing: sensationalism, up to the 
> border of the fake.
> 
> Emmanuel.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list