robur-coop / udns Goto Github PK

[deprecated, developmeht moved to https://github.com/mirage/ocaml-dns] µDNS - an opinionated Domain Name System (DNS) library

License: BSD 2-Clause "Simplified" License

OCaml 100.00%

ocaml dns dns-server mirageos unikernel tsig robur

udns's People

Contributors

Stargazers

Watchers

Forkers

avsm davidalphafox cfcs dinosaure jeremy505

udns's Issues

online testing facilities

server side: https://ednscomp.isc.org/ednscomp https://dnscheck.ripe.net/ https://zonemaster.net/
resolver: https://cmdns.dev.dns-oarc.net/

server has atm good results :)

Queries with opcode set to Notify can crash the resolver

As the primary server seems to handle fuzz testing without any bug, I tried to fuzz the resolver, and managed to crash it (https://pastebin.com/x3UB87Mf for an example). Here is the resolver log :

2018-07-12 14:11:54 +01:00: INF [application] reacting to (from 127.0.0.1:59757) 0001 query operation Notify rcode NoError flags: : example.com A?
2018-07-12 14:11:54 +01:00: ERR [dns_server] ignoring unsolicited request
2018-07-12 14:11:54 +01:00: ERR [application] answer from authoritative is none, shouldn't happen
Fatal error: exception "Assert_failure resolver/uDns_resolver.ml:239:12"
Raised at file "string.ml", line 118, characters 19-34
Called from file "src0/sexp.ml", line 93, characters 13-47
wt269@eagle:/auto/homes/wt269/OCaml/udns/mirage/examples/resolver$

TL;DR : Queries sent with opcode set to Notify are ignored by the primary server that responds with None, to which the resolver raises an error because it doesn't expect a None answer.

For a more detailed debug, which was simpler to find than the other issue :

The resolver receives a query with the opcode set to Notify and the query flag set to true
It calls the function UDns_resolver.handle which parses correctly the packet
The packet is sent by an user so it is considered as a query by the resolver, which is coherent with the flag in the header : UDns_resolver.handle_primary is then called, which calls itself UDns_server.Primary.handle_frame
As a primary server shouldn't receive a notify+query packet, it ignores it and returns None
UDns_resovler.handle_primary, seeing that is is a None packet, calls assert false
There is no try ... with block to catch the error so the resolver crashes.

Client dns packet id uses Random.int

I took a shortcut here: https://github.com/roburio/udns/blob/master/client/udns_client.ml#L20

Leaving this issue here so we don't forget about it.

EDIT: Also it's off by one (should be 0x10000):

Random.int bound returns a random integer between 0 (inclusive)
and bound (exclusive). bound must be greater than 0 and less than 2^30.

Query with a huge question section can lead to crash

After trying to fuzz the primary server from the example folder with big inputs, I found some packets that could crash main.native. In this example, the culprit is a query of size 3451 that consists of many questions (https://pastebin.com/tnV0JUbR for a hexadecimal and byte representation of that packet) :

2018-07-05 16:21:20 +01:00: INF [tcpip-stack-socket] Manager: connect
2018-07-05 16:21:20 +01:00: INF [tcpip-stack-socket] Manager: configuring
2018-07-05 16:21:20 +01:00: WRN [application] no secondaries keys found (err not found  TTL 300 soa SOA foo._key-management foo._key-management 0 16384 2048 1048576 300)
2018-07-05 16:21:20 +01:00: INF [application] loaded zone: mirage.	2560	SOA	ns.mirage.hostmaster.mirage.	1	10	5	60	2560
mirage.	2560	NS	ns.mirage.
charrua.mirage.	2560	A	10.0.42.3
ns.mirage.	2560	A	10.0.42.2
resolver.mirage.	2560	A	10.0.42.5
router.mirage.	2560	A	10.0.42.1
secondary.mirage.	2560	A	10.0.42.4
www.mirage.	2560	CNAME	router.mirage.

2018-07-05 16:21:20 +01:00: INF [dns_mirage_server] DNS server listening on UDP port 53
2018-07-05 16:21:20 +01:00: INF [dns_mirage_server] DNS server listening on TCP port 53
2018-07-05 16:21:26 +01:00: INF [dns_mirage_server] udp frame from 127.0.0.1:33525
2018-07-05 16:21:26 +01:00: ERR [dns_server] 181 questions foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, bailing
Fatal error: exception (Invalid_argument
  "invalid bounds in Cstruct.BE.set_uint16 [0,450](450) off=449 len=2")
Raised at file "format.ml" (inlined), line 242, characters 35-52
Called from file "format.ml", line 469, characters 8-33
Called from file "format.ml", line 484, characters 6-24

TL;DR : The packet is faulty according to the uDNS primary server handle function because the question section contains more than one question. The server tries to reply with an answer containing the same question section (I think it must be done for security purposes), but it creates a buffer with a shorter length, that's why that error is raised and crashes the application.

Now for a more detailed explanation (took me a really long time to figure out !). If I understood correctly :

The server allows any frame which size is under 4096 (otherwise it says ERR [dns_server] partial frame (length 4096)), so the packet goes through
UDns_server.Primary.handle is called at one point
In that call, UDns_server.Primary.handle_inner is called, which calls itself UDns_server.handle_frame
As the frame is a query-type packet, it calls UDns_server.handle_query
UDns_server.handle_query checks the question section and sees that there is more than one question, therefore it returns the rcode FormErr to UDns_server.handle_inner
UDns_server.handle_inner, seeing that it got an rcode error, calls UDns_server.err, which calls Dns_packet.error to create a reply with the same content but with the rcode set to FormErr
Dns_packet.error creates a buffer of size Dns_packet.max_reply_udp (= 450 !!) and tries to copy the initial packet into that buffer through Dns_packet.encode_query
Dns_packet.encode_query calls List.fold_left using Dns_packet.encode_question as the folding function, which shifts the offset value in the reply buffer
As 3451 is greater than 450, the final error invalid bounds is raised.

Maybe a solution would be to rise max_udp_size to 4096 ?

Difficulty pinning packages in development

After this was introduced in 8ad2bcc I'm struggling to pin local development branches.
Here's what I tried:

$ opam pin add -n dns --dev -k git git+https://github.com/roburio/udns.git
# ...
$ opam pin add -n dns-client --dev -k git git+https://github.com/roburio/udns.git
# ...
$ opam install dns

<><> Synchronising pinned packages ><><><><><><><><><><><><><><><><><><><><><><>
[dns.1.1.1] no changes from git+https://github.com/roburio/udns.git

[NOTE] Package dns is already installed (current version is 1.1.1).
$ opam install dns-client.1.1.1
[ERROR] Package dns-client has no version 1.1.1.
$ opam install dns-client

<><> Synchronising pinned packages ><><><><><><><><><><><><><><><><><><><><><><>
[dns-client.~dev] no changes from git+https://github.com/roburio/udns.git

Sorry, no solution found: there seems to be a problem with your request.

No solution found, exiting

My local workaround was:

$ sed -i 's/"dns"/#&/' dns-client.opam
$ opam pin add -n dns-client --dev '.'
$ opam install --working-dir dns-client

Is there a more ergonomic way to work with a development version?

ping @hannesm

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.