Yasuhiro Orange Morishita / 森下泰宏
yasuhiro at jprs.co.jp
Thu Jan 21 12:48:14 UTC 2021
I've read a technical whitepaper of the DNSpooq[*1] from JSOF,
and I have a question about response validation in DNS forwarders.
[*1] DNSpooq - Cache Poisoning and RCE in Popular DNS Forwarder dnsmasq
Section 3.4 of the whitepaper describes dnsmasq doesn't perform the
'in-domain' check, and dnsmasq accepts the following answer (and
overwrite an existing cache of www.bank.com) from upstream
;; ANSWER SECTION:
www.example.com. IN CNAME www.bank.com.
www.bank.com. IN A 184.108.40.206
I know that section 6 of RFC 5452 describes 'in-domain checking'
for full-service resolvers, but I can't find any RFCs describing the
same checking for DNS forwarders...
Moreover, the whitepaper describes this as follows:
"We acknowledge that this is not a vulnerability per se, and
moreover is reasonable behavior, though it magnifies the attack and
similar types of attacks."
Isn't it really a vulnerability?
From: FUSTE Emmanuel <emmanuel.fuste at thalesgroup.com>
Subject: Re: [dns-operations] dnspooq
Date: Thu, 21 Jan 2021 11:29:16 +0000
> Le 21/01/2021 à 12:07, Stephane Bortzmeyer a écrit :
>> On Tue, Jan 19, 2021 at 03:53:04PM +0000,
>> Roy Arends <roy at dnss.ec> wrote
>> a message of 7 lines which said:
>> Real vulnerabilities and good technical work but why do they feel the
>> need to add references to the "Internet DNS Architecture" (it is not a
>> DNS problem, purely bugs in an implementation) or to HSTS (what's its
>> relationship with a bug in a DNS program?)?
>> To get more attention?
> Yes I stop reading past this. Very bad editorial choice in my opinion.
> But sadly the modern/actual way of informing: sensationalism, up to the
> border of the fake.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations