OUSPG
[This page is CSS2 enabled. Your browser might not fully support it]
PROTOS Test-Suite: c09-dns
The Domain Name System (DNS) is the primary naming system used on the
Internet. It employs a custom protocol, which is also called DNS. DNS
systems use this protocol use to transact their business. DNS is a
distributed hierarchical database, that is used among other things to
map domain names to Internet addresses, map Internet addresses to
domain names, direct mail delivery.
A set of DNS messages was chosen as the subject protocol for vulnerability
assessment through syntax testing and test-suite creation.
A survey of the related standards was made. Test-material was prepared
and tests were carried out against a sample set of existing
implementations.
Some of the implementations available for evaluation failed to perform
in a robust manner under the test. Some failures had information
security implications, and should be considered as vulnerabilities.
Therefore, this robustness test-material should be adopted for the
evaluation and development of DNS implementations.
This test-suite is a byproduct of the
"PROTOS - Security Testing of Protocol Implementations" project.
[1]
This test-suite covers a limited set of information security and
robustness related implementation errors within the chosen focus area.
Important: Background, goals, limitations,
terminology and licensing for this test-suite release are explained in
the
"Test-suite releases in Theory and Practice"
document. This test-suite covers a limited set of information
security and robustness related implementation errors for a subset of
the chosen protocol.
The purpose of this test-suite is to evaluate implementation level
security and robustness of Domain Name System (DNS)
implementations. The factors behind choosing DNS included:
-
DNS is a fundamental infrastructure service of the Internet,
and most Internet applications are dependent on it.
-
DNS implementations are commonly ubiquitous, present in servers,
end-user equipment such as personal computers and mobile phones, and
in routers and firewalls. DNS may thus be a potential attack vector in
a variety of scenarios against a variety of systems and infrastructure
components.
-
There are no free, publicly available robustness test suites to
evaluate DNS implementations.
This test material is scoped to include basic queries, dynamic
updates, basic responses, and zone transfers. Specifications design
broadly describe which resource records we cover. This test material
is not specifically designed to uncover cache poisoning or address
spoofing vulnerabilities. Rationale for this scoping was:
-
Desire to apply test material to stub resolvers, caching servers,
authoritative servers and secondary servers.
-
Zone transfers were speculated to exercise different code paths in
servers than basic responses. The case of dynamic updates versus
normal queries is thought similar.
-
...
The test material covers the following scenarios employing the DNS protocol:
-
test material -> [queries, dynamic DNS updates] -> DNS server
-
test material -> [query replies] -> DNS server
-
test material -> [query replies] -> DNS stub resolver (client)
-
test material -> [zone transfers] -> secondary DNS server
Three test material packages were generated for these scenarios. The
query material covers scenario 1, the response material covers 2-3 and
the zone transfer material is responsible for test scenario 4.
The available standards were studied and analysed. The relevant
specifications are listed below.
-
RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND
SPECIFICATION[2]
-
RFC 2929 - Domain Name System (DNS) IANA Considerations
[3]
-
RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE)
[4]
-
RFC 2671 - Extension Mechanisms for DNS (EDNS0)
[5]
-
RFC 3007 - Secure Domain Name System (DNS) Dynamic Update
[6]
-
RFC 2845 - Secret Key Transaction Authentication for DNS
(TSIG)[7]
-
RFC 2065 - Secret Key Transaction Authentication for DNS
(TSIG)[8]
-
RFC 2874 - DNS Extensions to Support IPv6 Address Aggregation and
Renumbering[9]
-
RFC 2535 - Domain Name System Security
Extensions[10]
-
RFC 2931 - DNS Request and Transaction Signatures ( SIG(0)s
)[11]
A survey of available implementations is conducted. This should
include a diverse selection of implementations in order to gain better
insight into the applications implementing the protocol and to give a
hint on the impact of potential vulnerabilities. A subset of the
implementations is chosen to be tested during the test-suite creation
and prerelease phases.
Additional lists of vendors, specific implementations and related
information may be found from the following resources:
- DNS Resources Directory [12]
- fpdns - Fingerprinting DNS servers [13]
A body of implementations was chosen as a sample set to be tested
during the test-suite creation and pre-release phases. Most likely
reasons for omission of a specific product from the sample set
include:
- no evaluation copy of the product was available
- a restrictive licence prohibited evaluation
- we were not aware of the product
The methods of delivering the test cases to the
implementations under test are identified and analysed in
the injection vector survey. Often there are various injection methods
which cannot all be covered in the test-suite. Lower-priority vectors
that are not available in all implementations might be missed by the
survey.
Injection vector survey
Application protocol |
Transport protocol |
Packet |
DNS |
UDP (port 53) |
All DNS packets |
DNS |
TCP (port 53) |
All DNS packets |
DNS |
UDP (port 5353) |
Multicast DNS packets |
This test suite does not support the injection of Multicast DNS
packets. Multicast DNS was also not specifically not considered during
test design.
Injection using TCP was selected for the test set. Queries are usually
performed via UDP, and some implementations send UDP replies to TCP
requests. A TCP-UDP proxy was written to enable communication with
these subjects.
*message sequence for scenario 1
query
test tool ---> DNS server [test subject]
*message sequence for scenario 2
query rec. query
DNS resolver ---> DNS server [test subject] ---> test tool
^ |
| recursion query reply |
------------------------------
*message sequence for scenario 3
query
DNS resolver [test subject] ---> test tool
^ |
| reply |
---------------------------
*message sequence for scenario 4 consists of three message exchanges
First message exchange
notify
test tool ---> DNS server [test subject]
^ |
| notify response |
-------------------
Second message exchange
SOA
query
DNS server [test subject] ---> test tool
^ |
| SOA response |
--------------------------
Third message exchange
zone transfer
test tool ---> DNS server [test subject]
The exceptional elements are delivered in the third exchange
Protocol data unit specifications are used as a basis for generating
the test-cases. The starting point for the design of the test-suite is
to acquire or create a machine-readable representation of the protocol
specification. The test-tool then utilises a custom dialect of BNF
(Backus-Naur Form). BNF is capable of describing the
context-free syntax of a specification, but is often insufficient for
automated test-case generation. The specification is completed by
rules which maintain semantic validity and provide
communication channels necessary to simulate the protocol.
Most DNS data is conveyed via the use of structures called resource
records. Thus much of the testing effort is centred around them. All
resource record types are coarsely tested, but the structure of the
following types are given more attention.
- HINFO: Host information
- MINFO: Mailbox or mailing list information
- MX: Mail exchanger
- NULL: Null record
- SOA: Start of authority marking the start of a zone
- TXT: Text string
- NXT: Next domain
- WKS: Well-known service, information about services at a host
- A6: IPv6 addresses
- OPT: DNS extension EDNS0
- KEY: DNSSEC public key
- TSIG: Transaction signature
- SIG: Public key signature
An exceptional element is a piece of data designed to
provoke undesired behaviour of the test subject. A single test-case
contains one or a few exceptional elements. An exceptional element can
violate the protocol specification, although it often can be
considered legal or in the hazy region between legal and illegal
constructs. An exceptional element is an input that might not have
been considered properly when implementing the software.
The following table lists the categories of the exceptional elements
designed for the test-material:
Exceptional Element Categories
Name |
Description |
ee-empty |
Omitted element |
ee-bit |
Both one bit values |
ee-3bit |
All 3-bit combinations |
ee-4bit |
Some 4-bit combinations |
ee-8bit |
Some 8-bit combinations |
ee-16bit |
Some 16-bit combinations |
ee-32bit-short |
Incomplete 32-bit values |
ee-32bit-time |
Some 32-bit timestamp values |
ee-dns-offset-answer |
Domain name pointer anomalies with respect to a certain part of the packet |
ee-dns-offset-authority |
Domain name pointer anomalies with respect to a certain part of the packet |
ee-dns-offset-query |
Domain name pointer anomalies with respect to a certain part of the packet |
ee-name-pointer |
Generic domain name pointer anomalies |
ee-pointer-short-resolver |
Recursive pointers for resolver queries, for limited-sized packets |
ee-pointer-short-zone |
Recursive pointers for zone transfer replies, for limited-sized packets |
ee-pointer-long-resolver |
Recursive pointers for resolver queries |
ee-pointer-long-zone |
Recursive pointers for zone transfer replies |
ee-namesegment |
Exceptional domain name segments including overflows and format strings |
ee-ip-address |
Some IPv4 addresses |
ee-overflow-binary |
Overflows of 0x00 and 0xff |
ee-overflow-binary-large |
Longer overflows of 0x00 and 0xff |
ee-general-utf8 |
Some exceptional utf8-encodings |
ee-sql-meta |
Some exceptional sql commands |
ee-string |
Exceptional strings including overflows and format strings |
ee-repeat |
Repeated element |
The test-material consists of test-cases simulating hostile input to
the implementation under test. A test-case contains one or more
exceptional elements, other elements being in their default state as
exhibited by test case #1, i.e. the default case. Cases are arranged
into test-groups, each covering a certain part of PDUs or containing
similar anomalies. Details for the test messages are presented in the
table below.
Test-groups for server queries
Name |
Exceptional Elements |
Test cases |
First index |
Last index |
query-valid |
- |
1 |
0 |
0 |
query-qtype |
ee-16bit |
9 |
1 |
9 |
query-qclass |
ee-16bit |
9 |
10 |
18 |
query-opcode |
ee-4bit |
16 |
19 |
34 |
query-rcode |
ee-4bit |
16 |
35 |
50 |
query-qdcount |
ee-16bit |
9 |
51 |
59 |
query-ancount |
ee-16bit |
9 |
60 |
68 |
query-nscount |
ee-16bit |
9 |
69 |
77 |
query-arcount |
ee-16bit |
9 |
78 |
86 |
query-qname |
ee-name-pointer |
17 |
87 |
103 |
query-qname+rrtype |
ee-namesegment, ee-general-utf8, ee-sql-meta |
9120 |
104 |
9223 |
answer-rrtype |
ee-16bit |
8 |
9224 |
9231 |
answer-class |
ee-32bit-short |
8 |
9232 |
9239 |
answer-ttl |
ee-32bit-short |
4 |
9240 |
9243 |
answer-rdlength |
ee-16bit |
8 |
9244 |
9251 |
additional-pointer-short |
ee-pointer-short |
3 |
9252 |
9254 |
additional-pointer-long |
ee-pointer-long |
3 |
9255 |
9257 |
additional-mx |
ee-16bit |
8 |
9258 |
9265 |
additional-nxt |
ee-overflow-binary-large |
32 |
9266 |
9297 |
additional-txt |
ee-string |
67 |
9298 |
9364 |
additional-txt-repeat |
ee-repeat |
6 |
9365 |
9370 |
additional-a6 |
ee-8bit |
7 |
9371 |
9377 |
additional-tsig-algo-name |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9378 |
9537 |
additional-tsig-mac-size |
ee-16bit |
8 |
9538 |
9545 |
additional-tsig-other-data |
ee-string |
67 |
9546 |
9612 |
additional-tsig-other-len |
ee-16bit |
8 |
9613 |
9620 |
additional-edns-opt-multiple |
ee-repeat |
6 |
9621 |
9626 |
additional-edns-opt-data |
ee-string |
67 |
9627 |
9693 |
additional-edns-opt-data-repeat |
ee-repeat |
6 |
9694 |
9699 |
additional-edns-opt-payload |
ee-16bit |
8 |
9700 |
9707 |
additional-edns-flags |
ee-16bit |
8 |
9708 |
9715 |
additional-edns-rcode |
ee-16bit |
8 |
9716 |
9723 |
additional-sig-signer |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9724 |
9883 |
additional-sig-repeat |
ee-repeat |
6 |
9884 |
9889 |
additional-sig-labels |
ee-8bit |
7 |
9890 |
9896 |
update-rrtype |
ee-empty, ee-16bit |
9 |
9897 |
9905 |
update-domainname-1 |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9906 |
10065 |
update-domainname-2 |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
10066 |
10225 |
update-domainname-3 |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
10226 |
10385 |
update-key-flags |
ee-16bit |
8 |
10386 |
10393 |
update-key-publickey |
ee-string |
67 |
10394 |
10460 |
Test-groups for server responses
Name |
Exceptional Elements |
Test cases |
First index |
Last index |
response-valid |
- |
1 |
0 |
0 |
response-header-opcode |
ee-4bit |
16 |
1 |
16 |
response-header-rcode |
ee-4bit |
16 |
17 |
32 |
response-header-qdcount |
ee-16bit, ee-empty |
9 |
33 |
41 |
response-header-ancount |
ee-16bit, ee-empty |
9 |
42 |
50 |
response-header-nscount |
ee-16bit, ee-empty |
9 |
51 |
59 |
response-header-arcount |
ee-16bit, ee-empty |
9 |
60 |
68 |
response-answer-rrtype |
ee-16bit, ee-empty |
9 |
69 |
77 |
response-answer-class |
ee-16bit, ee-empty |
9 |
78 |
86 |
response-answer-ttl |
ee-32bit-short |
5 |
87 |
91 |
response-answer-rdlength |
ee-16bit, ee-empty |
9 |
92 |
100 |
response-answer-domainname-repeat |
ee-repeat |
6 |
101 |
106 |
response-answer-a |
ee-ip-address |
25 |
107 |
131 |
response-answer-a-repeat |
ee-repeat |
6 |
132 |
137 |
response-answer-rrtype-with-rdata-domainname |
ee-namesegment, ee-general-utf8, ee-sql-meta |
9120 |
138 |
9257 |
response-answer-rdata-minfo |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9258 |
9417 |
response-answer-rdata-wks-a |
ee-ip-address |
25 |
9418 |
9442 |
response-answer-rdata-wks-protocol |
ee-8bit |
7 |
9443 |
9449 |
response-answer-rdata-wks-bitmap |
ee-overflow-binary-large |
32 |
9450 |
9481 |
response-answer-rdata-nxt-bitmap |
ee-overflow-binary-large |
32 |
9482 |
9513 |
response-answer-rdata-a6-prefix-with-suffix |
ee-8bit, ee-overflow-binary |
98 |
9514 |
9611 |
response-answer-rdata-soa-timestamps |
ee-32bit-time |
32 |
9612 |
9643 |
response-answer-rdata-soa-mname-with-rname |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9644 |
9803 |
response-answer-rdata-mx-preference |
ee-16bit |
8 |
9804 |
9811 |
response-answer-rdata-null |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
9812 |
9971 |
response-answer-rdata-hinfo |
ee-namesegment, ee-general-utf8, ee-sql-meta |
159 |
9972 |
10130 |
response-answer-rdata-txt |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10131 |
10289 |
response-answer-rdata-txt-repeat |
ee-repeat |
6 |
10290 |
10295 |
response-additional-domainname-pointer-1 |
ee-dns-offset-query |
23 |
10296 |
10318 |
response-additional-domainname-pointer-2 |
ee-dns-offset-answer |
23 |
10319 |
10341 |
response-additional-domainname-pointer-3 |
ee-dns-offset-authority |
23 |
10342 |
10364 |
response-authority-domainname-pointer-repeat |
ee-dns-offset-query |
1 |
10365 |
10365 |
response-authority-domainname-pointer-1 |
ee-dns-offset-query |
23 |
10366 |
10388 |
response-authority-domainname-pointer-2 |
ee-dns-offset-answer |
23 |
10389 |
10411 |
response-answer-domainname-pointer-repeat |
ee-dns-offset-query, ee-repeat |
1 |
10412 |
10412 |
response-answer-domainname-pointer |
ee-dns-offset-query, ee-repeat |
23 |
10413 |
10435 |
response-additional-tsig-algo-name |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
10436 |
10595 |
response-additional-tsig-mac-size |
ee-16bit |
8 |
10596 |
10603 |
response-additional-tsig-other-data |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10604 |
10762 |
response-additional-tsig-other-len |
ee-16bit |
8 |
10763 |
10770 |
response-additional-edns-opt-multiple |
ee-repeat |
6 |
10771 |
10776 |
response-additional-edns-opt-data |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10777 |
10935 |
response-additional-edns-opt-data-multiple |
ee-repeat |
6 |
10936 |
10941 |
response-additional-edns-opt-payload |
ee-16bit |
8 |
10942 |
10949 |
response-additional-edns-flags |
ee-16bit |
8 |
10950 |
10957 |
response-additional-edns-rcode |
ee-16bit |
8 |
10958 |
10965 |
response-additional-sig(0)-signer |
ee-namesegment, ee-general-utf8, ee-sql-meta |
160 |
10966 |
11125 |
response-additional-sig(0)-multi |
ee-repeat |
6 |
11126 |
11131 |
response-additional-sig(0)-labels |
ee-8bit |
7 |
11132 |
11138 |
Test-groups for zone transfer responses
Name |
Exceptional Elements |
Test cases |
First index |
Last index |
zone-transfer-valid |
- |
1 |
0 |
0 |
zone-transfer-header-opcode |
ee-4bit |
16 |
1 |
16 |
zone-transfer-header-rcode |
ee-4bit |
16 |
17 |
32 |
zone-transfer-header-qdcount |
ee-16bit, ee-empty |
9 |
33 |
41 |
zone-transfer-header-ancount |
ee-16bit, ee-empty |
9 |
42 |
50 |
zone-transfer-header-nscount |
ee-16bit, ee-empty |
9 |
51 |
59 |
zone-transfer-header-arcount |
ee-16bit, ee-empty |
9 |
60 |
68 |
zone-transfer-header-rrtype |
ee-16bit, ee-empty |
9 |
69 |
77 |
zone-transfer-header-class |
ee-16bit, ee-empty |
9 |
78 |
86 |
zone-transfer-header-ttl |
ee-32bit-short |
5 |
87 |
91 |
zone-transfer-header-rdlength |
ee-16bit, ee-empty |
9 |
92 |
100 |
zone-transfer-answer-domainname-repeat |
ee-repeat |
6 |
101 |
106 |
zone-transfer-answer-a |
ee-ip-address |
25 |
107 |
131 |
zone-transfer-answer-a-repeat |
ee-repeat |
6 |
132 |
137 |
zone-transfer-answer-rrtype-with-rdata-domainname |
ee-namechar, ee-general-utf8, ee-sql-meta |
9120 |
138 |
9257 |
zone-transfer-answer-rdata-minfo |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
9258 |
9417 |
zone-transfer-answer-rdata-wks-a |
ee-ip-address |
25 |
9418 |
9442 |
zone-transfer-answer-rdata-wks-protocol |
ee-8bit |
7 |
9443 |
9449 |
zone-transfer-answer-rdata-wks-bitmap |
ee-overflow-binary-large |
32 |
9450 |
9481 |
zone-transfer-answer-rdata-nxt-bitmap |
ee-overflow-binary-large |
32 |
9482 |
9513 |
zone-transfer-answer-rdata-a6-prefix-with-suffix |
ee-8bit, ee-overflow-binary |
98 |
9514 |
9611 |
zone-transfer-answer-rdata-soa-timestamps |
ee-32bit-time |
32 |
9612 |
9643 |
zone-transfer-answer-rdata-soa-mname-with-rname |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
9644 |
9803 |
zone-transfer-answer-rdata-mx-preference |
ee-16bit |
8 |
9804 |
9811 |
zone-transfer-answer-rdata-null |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
9812 |
9971 |
zone-transfer-answer-rdata-hinfo |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
9972 |
10131 |
zone-transfer-answer-rdata-txt |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10132 |
10290 |
zone-transfer-answer-rdata-txt-repeat |
ee-repeat |
6 |
10291 |
10296 |
zone-transfer-answer-pointer |
ee-name-pointer |
17 |
10297 |
10313 |
zone-transfer-answer-pointer-repeat |
ee-pointer-short-zone |
3 |
10314 |
10316 |
zone-transfer-answer-pointer-repeat-more |
ee-pointer-long-zone |
3 |
10317 |
10319 |
zone-transfer-additional-tsig-algo-name |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
10320 |
10479 |
zone-transfer-additional-tsig-mac-size |
ee-16bit |
8 |
10480 |
10487 |
zone-transfer-additional-tsig-other-data |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10488 |
10646 |
zone-transfer-additional-tsig-other-len |
ee-16bit |
8 |
10647 |
10654 |
zone-transfer-additional-edns-opt-multiple |
ee-repeat |
6 |
10655 |
10660 |
zone-transfer-additional-edns-opt-data |
ee-string, ee-general-utf8, ee-sql-meta |
159 |
10661 |
10819 |
zone-transfer-additional-edns-opt-data-multiple |
ee-repeat |
6 |
10820 |
10825 |
zone-transfer-additional-edns-opt-payload |
ee-16bit |
8 |
10826 |
10833 |
zone-transfer-additional-edns-flags |
ee-16bit |
8 |
10834 |
10841 |
zone-transfer-additional-edns-rcode |
ee-16bit |
8 |
10842 |
10849 |
zone-transfer-additional-sig(0)-signer |
ee-namechar, ee-general-utf8, ee-sql-meta |
160 |
10850 |
11009 |
zone-transfer-additional-sig(0)-multi |
ee-repeat |
6 |
11010 |
11015 |
zone-transfer-additional-sig(0)-labels |
ee-8bit |
7 |
11016 |
11022 |
Legend:
-
"Name" column represents the tag-names of the test-groups. Tags
reflect the field and element names in the protocol specification.
Tags can be used to follow which parts of the PDUs are being tested.
-
"Exceptional Elements" column describes which exceptional element
categories are integrated in the test-group.
-
"Test Cases", "First Index" and "Last Index" columns describe the
number of cases and the first and last test-case index in the
test-group.
Test-runs were conducted against the chosen sample of
implementations. Specifications, exceptional elements, semantic rules,
injectors and instrumentation were integrated as a test-tool
configuration to enable automatic execution of the tests.
The test-tool provides communication rules for test-case
injection, using a TCP server and client sockets. A TCP-UDP proxy
program is provided for handling UDP messages, as required by most
scenarios.
To test a DNS resolver implementation using the response test material,
the resolver implementation should be configured to send DNS queries to
the host running the response test tool.
To test a DNS server implementation using the response test
material, the DNS server should be configured to forward all queries to
the host running the response test tool. Repeated DNS A queries for
unique names should be addressed to the tested DNS server. It is
important for the queried domain names to be unique to prevent the
tested DNS server from caching the answers. The DNS server should then
forward queries to the response test tool, which will reply with
response test cases that will be processed by the DNS server before
being forwarded to the originator of the query.
To test a DNS server implementation using the query test material,
the DNS server should be configured to answer queries from the host
running the test tool. The query test tool will then send successive
DNS queries containing test cases to the tested DNS server.
To test a DNS server using the zone transfer test material, the
tested implementation should be configured to act as a slave server
for the zone "protos.invalid.", and the address of the host running
the zone transfer test tool should be configured as a master of that
zone. The tested DNS server is sent DNS NOTIFY messages, and it should
connect back to the test tool to receive zone transfer test cases
after each respective NOTIFY message.
The implementation under test is monitored for undesired behaviour that
could have security implications. Instrumentation methods can roughly
be divided to two categories.
Out-of-Band Instrumentation on the target platform includes
debuggers, resource monitoring or custom made tools used to extract
information from the implementation under test. Unfortunately, the
modern trend of abusing the try-catch -type of constructs
easily masks the exceptions generated by stack and memory corruption.
Catching these hidden exceptions relies on the debugging skills of the
developers themselves. Out-of-Band Instrumentation is often the
preferred form of instrumentation.
In In-Band Instrumentation the implementation is monitored
via the injection vector, ie. the same interface used to deliver the
test-cases. While not necessarily checked for protocol conformance,
absent or malformed responses can often reveal anomalous conditions
such as denial of service. Also, the ability to accept subsequent
test-cases indicates how they affect the performance of the target
implementation. Especially with embedded devices, this form of
instrumentation may be the only option easily available.
A valid case in-band instrumentation will be bundled with the
test-material.
Results from the test-runs are summarised herein. Tables below
represent the observations from feeding the test-material against the
chosen subject software. Product names of the actual subjects are
omitted to protect the innocent. Results are presented in a tabular
form with test-cases divided into test-groups based on the exceptional
element types utilised and PDU fields under examination.
Each failed test-case represents at minimum a denial of service type
chance of exploiting the found vulnerability. In most cases, they
represent memory corruption, stack corruption or other fatal error
conditions. Some of these may lead exposure to typical buffer overflow
exploits, allowing arbitrary code to be run or the system to be
modified.
The verdict failed is granted if any of the following
criteria is met and a single test-case can be identified to be
responsible:
-
A device undergoes a fatal failure and stops functioning normally.
-
A process or a device crashes or hangs and needs to be restarted
manually.
-
A process or a device crashes and restarts automatically.
-
A process consumes CPU and/or memory resources for an exceptionally
long or indefinite time thus causing at least a denial of service.
If no single test-case can be identified but similar effects are
observed, the verdict is inconclusive.
Sometimes, a subject gets corrupted so badly or is fundamentally so
unstable that there is no way to collect accurate test-results for the
whole test-run. Untested regions are marked as
unknown.
Otherwise, the verdict is passed.
Test-results for the query material
Test-group / Test-run # |
tr-001 |
tr-002 |
tr-005 |
tr-006 |
tr-008 |
tr-009 |
query-qtype |
- |
- |
- |
- |
- |
- |
query-qclass |
- |
- |
- |
- |
- |
- |
query-opcode |
- |
- |
- |
- |
- |
- |
query-rcode |
- |
- |
- |
- |
- |
- |
query-qdcount |
- |
- |
- |
- |
- |
- |
query-ancount |
- |
- |
- |
- |
- |
- |
query-nscount |
- |
- |
- |
- |
- |
- |
query-arcount |
- |
- |
- |
- |
- |
- |
query-qname |
- |
- |
- |
X |
- |
- |
query-qname+rrtype |
- |
- |
- |
- |
- |
- |
answer-rrtype |
- |
- |
- |
- |
- |
- |
answer-class |
- |
- |
- |
- |
- |
- |
answer-ttl |
- |
- |
- |
- |
- |
- |
answer-rdlength |
- |
- |
- |
- |
- |
- |
additional-pointer-short |
- |
- |
- |
- |
- |
- |
additional-pointer-long |
- |
- |
- |
- |
- |
- |
additional-mx |
- |
- |
- |
- |
- |
- |
additional-nxt |
- |
- |
- |
X |
- |
- |
additional-txt |
- |
- |
- |
- |
- |
- |
additional-txt-repeat |
- |
- |
- |
- |
- |
- |
additional-a6 |
- |
- |
- |
- |
- |
- |
additional-tsig-algo-name |
- |
- |
- |
- |
- |
- |
additional-tsig-mac-size |
- |
- |
- |
- |
- |
- |
additional-tsig-other-data |
- |
- |
- |
- |
- |
- |
additional-tsig-other-len |
- |
- |
- |
- |
- |
- |
additional-edns-opt-multiple |
- |
- |
- |
- |
- |
- |
additional-edns-opt-data |
- |
- |
- |
- |
- |
- |
additional-edns-opt-data-repeat |
- |
- |
- |
- |
- |
- |
additional-edns-opt-payload |
- |
- |
- |
- |
- |
- |
additional-edns-flags |
- |
- |
- |
- |
- |
- |
additional-edns-rcode |
- |
- |
- |
- |
- |
- |
additional-sig-signer |
- |
- |
- |
- |
- |
- |
additional-sig-repeat |
- |
- |
- |
- |
- |
- |
additional-sig-labels |
- |
- |
- |
- |
- |
- |
update-rrtype |
- |
- |
- |
- |
- |
- |
update-domainname-1 |
- |
- |
- |
- |
- |
- |
update-domainname-2 |
- |
- |
- |
- |
- |
- |
update-domainname-3 |
- |
- |
- |
- |
- |
- |
update-key-flags |
- |
- |
- |
- |
- |
- |
update-key-publickey |
- |
- |
- |
- |
- |
- |
Test-results for the response material
Test-group / Test-run # |
tr-000 |
tr-003 |
tr-010 |
tr-011 |
tr-012 |
tr-013 |
tr-014 |
response-header-opcode |
- |
- |
- |
- |
- |
- |
- |
response-header-rcode |
- |
- |
- |
- |
- |
- |
- |
response-header-qdcount |
- |
- |
- |
- |
- |
- |
- |
response-header-ancount |
- |
- |
- |
- |
- |
- |
- |
response-header-nscount |
- |
- |
- |
- |
- |
- |
- |
response-header-arcount |
- |
- |
- |
- |
- |
- |
- |
response-answer-rrtype |
- |
- |
- |
- |
- |
- |
- |
response-answer-class |
- |
- |
- |
- |
- |
- |
- |
response-answer-ttl |
- |
- |
- |
- |
- |
- |
- |
response-answer-rdlength |
- |
- |
- |
- |
- |
- |
- |
response-answer-domainname-repeat |
- |
- |
- |
- |
- |
- |
- |
response-answer-a |
- |
- |
- |
- |
- |
- |
- |
response-answer-a-repeat |
- |
- |
- |
- |
- |
- |
- |
response-answer-rrtype-with-rdata-domainname |
- |
- |
- |
- |
- |
- |
X |
response-answer-rdata-minfo |
- |
- |
- |
- |
- |
- |
? |
response-answer-rdata-wks-a |
- |
- |
- |
- |
- |
- |
? |
response-answer-rdata-wks-protocol |
- |
- |
- |
- |
- |
- |
? |
response-answer-rdata-wks-bitmap |
- |
- |
- |
- |
- |
- |
? |
response-answer-rdata-nxt-bitmap |
- |
- |
- |
- |
- |
X |
? |
response-answer-rdata-a6-prefix-with-suffix |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-soa-timestamps |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-soa-mname-with-rname |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-mx-preference |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-null |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-hinfo |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-txt |
- |
- |
- |
- |
- |
? |
? |
response-answer-rdata-txt-repeat |
- |
- |
- |
- |
- |
? |
? |
response-additional-domainname-pointer-1 |
- |
- |
- |
- |
- |
? |
? |
response-additional-domainname-pointer-2 |
- |
- |
- |
- |
- |
? |
? |
response-additional-domainname-pointer-3 |
- |
- |
- |
- |
- |
? |
? |
response-authority-domainname-pointer-repeat |
- |
- |
- |
- |
- |
? |
? |
response-authority-domainname-pointer-1 |
- |
- |
- |
- |
- |
? |
? |
response-authority-domainname-pointer-2 |
- |
- |
- |
- |
- |
? |
? |
response-answer-domainname-pointer-repeat |
- |
- |
- |
- |
- |
? |
? |
response-answer-domainname-pointer |
- |
- |
- |
- |
- |
? |
? |
response-additional-tsig-algo-name |
- |
- |
- |
- |
- |
? |
? |
response-additional-tsig-mac-size |
- |
- |
- |
- |
- |
? |
? |
response-additional-tsig-other-data |
- |
- |
- |
- |
- |
? |
? |
response-additional-tsig-other-len |
- |
- |
- |
- |
- |
? |
? |
response-additional-edns-opt-multiple |
X |
- |
- |
- |
- |
? |
? |
response-additional-edns-opt-data |
- |
- |
- |
- |
- |
? |
? |
response-additional-edns-opt-data-multiple |
- |
- |
- |
- |
- |
? |
? |
response-additional-edns-opt-payload |
- |
- |
- |
- |
- |
? |
? |
response-additional-edns-flags |
- |
- |
- |
- |
- |
? |
? |
response-additional-edns-rcode |
- |
- |
- |
- |
- |
? |
? |
response-additional-sig(0)-signer |
- |
- |
- |
- |
- |
? |
? |
response-additional-sig(0)-multi |
X |
- |
- |
- |
- |
? |
? |
response-additional-sig(0)-labels |
- |
- |
- |
- |
- |
? |
? |
Test-results for the zone transfer material
Test-group / Test-run # |
tr-004 |
tr-007 |
zone-transfer-header-opcode |
- |
- |
|
zone-transfer-header-rcode |
- |
- |
|
zone-transfer-header-qdcount |
- |
- |
|
zone-transfer-header-ancount |
- |
- |
|
zone-transfer-header-nscount |
- |
- |
|
zone-transfer-header-arcount |
- |
- |
|
zone-transfer-header-rrtype |
- |
- |
|
zone-transfer-header-class |
- |
- |
|
zone-transfer-header-ttl |
- |
- |
|
zone-transfer-header-rdlength |
- |
- |
|
zone-transfer-answer-domainname-repeat |
- |
- |
|
zone-transfer-answer-a |
- |
- |
|
zone-transfer-answer-a-repeat |
- |
- |
|
zone-transfer-answer-rrtype-with-rdata-domainname |
- |
- |
|
zone-transfer-answer-rdata-minfo |
- |
- |
|
zone-transfer-answer-rdata-wks-a |
- |
- |
|
zone-transfer-answer-rdata-wks-protocol |
- |
- |
|
zone-transfer-answer-rdata-wks-bitmap |
- |
- |
|
zone-transfer-answer-rdata-nxt-bitmap |
- |
- |
|
zone-transfer-answer-rdata-a6-prefix-with-suffix |
- |
- |
|
zone-transfer-answer-rdata-soa-timestamps |
- |
- |
|
zone-transfer-answer-rdata-soa-mname-with-rname |
- |
- |
|
zone-transfer-answer-rdata-mx-preference |
- |
- |
|
zone-transfer-answer-rdata-null |
- |
- |
|
zone-transfer-answer-rdata-hinfo |
- |
- |
|
zone-transfer-answer-rdata-txt |
- |
- |
|
zone-transfer-answer-rdata-txt-repeat |
- |
- |
|
zone-transfer-answer-pointer |
- |
- |
|
zone-transfer-answer-pointer-repeat |
- |
- |
|
zone-transfer-answer-pointer-repeat-more |
- |
- |
|
zone-transfer-additional-tsig-algo-name |
- |
X |
|
zone-transfer-additional-tsig-mac-size |
- |
- |
|
zone-transfer-additional-tsig-other-data |
- |
X |
|
zone-transfer-additional-tsig-other-len |
- |
- |
|
zone-transfer-additional-edns-opt-multiple |
- |
- |
|
zone-transfer-additional-edns-opt-data |
- |
- |
|
zone-transfer-additional-edns-opt-data-multiple |
- |
- |
|
zone-transfer-additional-edns-opt-payload |
- |
- |
|
zone-transfer-additional-edns-flags |
- |
- |
|
zone-transfer-additional-edns-rcode |
- |
- |
|
zone-transfer-additional-sig(0)-signer |
- |
- |
|
zone-transfer-additional-sig(0)-multiple |
- |
- |
|
zone-transfer-additional-sig(0)-labels |
- |
- |
|
Legend:
-
nnn: Each different test-run (tr-nnn) represents a different tested
implementation.
-
X: Verdict is failed
-
I: Verdict is inconclusive
-
-: Verdict is passed
-
?: Verdict is unknown
Please note that if a subject fails in a format string (fmtstring)
test-group, the failure may be caused by a buffer overflow condition
with a very long format string as a trigger. Should an implementation
have failed in a format string category, but not in previous overflow
category, it is then likely to contain a format string type of
vulnerability.
The results are further summarised in the table below.
Test-results summary
Test-run # |
Total test-cases |
Total groups |
Failed groups (inconclusive) |
tr-000 |
11138 |
49 |
2 |
tr-001 |
10460 |
41 |
0 |
tr-002 |
10460 |
41 |
0 |
tr-003 |
11138 |
49 |
0 |
tr-004 |
11022 |
44 |
0 |
tr-005 |
10460 |
41 |
0 |
tr-006 |
10460 |
41 |
1 |
tr-007 |
11022 |
44 |
2 |
tr-008 |
10460 |
41 |
0 |
tr-009 |
10460 |
41 |
0 |
tr-010 |
11138 |
49 |
0 |
tr-011 |
11138 |
49 |
0 |
tr-012 |
11138 |
49 |
0 |
tr-013 |
11138 |
49 |
1+ |
tr-014 |
11138 |
49 |
1+ |
To support the vulnerability reporting process, typically one exploit
per implementation is refined and included in the respective
vulnerability report. The exploit is only intended for demonstration
purposes and is harmless as it is. Simplest of them only executes some
harmless commands in the target system, typically with the privileges
of the vulnerable process. Some only provide a demonstration by
causing a Denial of Service (DoS) against the software.
To support the vulnerability reports to the respective vendors,
following exploits were developed:
The test-material is distributed as a JAR package. The package
comprises of the following elements:
-
Test-cases located in
testcases/ directory
-
Codenomicon Toolkit Engine for feeding the test-cases against the
system under test.
-
LICENSE.TXT
- License for the test-material package
-
README.TXT
- Very short instructions
The license allows free use and redistribution of the test-material
package. However, modifying the test-material package is not allowed
without a permission. See the license file for more information.
We recommend some additional guidelines, although these do not
restrict the test-material licence. These guidelines can
be found from the
"Test-suite releases in Theory and Practice"
document.
A prerequisite for using the test-material is a properly configured
and started implementation, preferably not in an open network.
For the query test material, the tested implementation
should be configured to receive and process DNS queries on TCP port 53.
For the response test material, the tested implementation
should be configured send DNS queries to TCP port 53 or UDP port 53,
and process the resulting DNS responses.
For the zone transfer test material, the tested
implementation should be configured to receive DNS NOTIFY messages on TCP
port 53, and it should connect back to the test tool to receive the
zone transfer test case after each NOTIFY message.
In addition, Java is required to execute the test material packages,
and Python is needed to run the supplied TCP-UDP proxy. The package
has been tested on Java 2 Platform, Standard Edition (J2SE) version
1.4.2, and the proxy on Python version 2.3.4.
The test-material is used through a command line interface. The
test-material is run with java, using the -jar switch.
The command java -jar c09-dns-query-r1.jar --help displays the
built-in help for the available command line options:
--host host Target hostname or IP (required)
--port port Target port (53)
--timeout timeout Timeout (ms) to wait for reply (10000)
--index index Test case index, e.g. 0,1-6,50-
--delay delay Delay (ms) between test cases (1000)
--showsent Show sent messages (off)
--showreceived Show received messages (off)
--instrument Use valid-case instrumentation (off)
--validcase case Index to use in valid-case instrumentation (0)
--help Show command line help
The minimal command line required to run all test-cases against a
server at host 10.10.10.2 would then be java -jar
c09-dns-query-r1.jar --host 10.10.10.2.
The command java -jar c09-dns-response-r1.jar --help displays the
built-in help for the available command line options:
--sourceport port Source port (53)
--timeout timeout Timeout (ms) to wait for reply (10000)
--index index Test case index, e.g. 0,1-6,50-
--delay delay Delay (ms) between test cases (1000)
--showsent Show sent messages (off)
--showreceived Show received messages (off)
--instrument Use valid-case instrumentation (off)
--validcase case Index to use in valid-case instrumentation (0)
--help Show command line help
The minimal command line required to run the test-set would then be
java -jar c09-dns-response-r1.jar. The test-tool then functions as a
server and can be queried for test-cases by a desired test
subject. Note that running the test tool with the default port 53
requires administrative privileges on some systems.
Following is an example demonstrating test automation of the response
material. The included shell script uses the ISC dig tool as the test
subject, and sends the queries to the host supplied as its argument.
$ java --jar c09-dns-response-r1.jar &
[1] 13412
$ cat > query.sh
#!/bin/sh
set -x
n=`date +%s`
while true; do
dig @$1 $n.protos.invalid +time=1
n=`expr $n + 1`
done
$ chmod +x query.sh
$ ./query.sh localhost
Note that in most scenarios you need to employ the TCP-UDP proxy to
successfully use the response material!
The command java -jar c09-dns-zonetransfer-r1.jar --help displays the
built-in help for the available command line options:
--host host Target hostname or IP (required)
--port port Target port (53)
--sourceport port Source port (53)
--timeout timeout Timeout (ms) to wait for reply (10000)
--index index Test case index, e.g. 0,1-6,50-
--delay delay Delay (ms) between test cases (1000)
--showsent Show sent messages (off)
--showreceived Show received messages (off)
--instrument Use valid-case instrumentation (off)
--validcase case Index to use in valid-case instrumentation (0)
--help Show command line help
The minimal command line required to run all test-cases against host
10.10.10.2 would then be java -jar c09-dns-zonetransfer-r1.jar --host
10.10.10.2. The test-tool then functions as an authoritative name
server supplying zone information records to the test subject. Note
that running the test tool with the default port 53 requires
administrative privileges on some systems.
Note that in most scenarios you need to employ the TCP-UDP proxy to
successfully use the zone transfer material!
The program is meant to accompany the PROTOS DNS test material. Run
it on the same computer that the DNS jar is running on, and it will
handle UDP-TCP translation of DNS messages so that the test tool can
receive DNS messages sent over UDP. The command udpproxy.py --help
displays the built-in help for the available command line options:
-h --help This text
-l --listenport NNN UDP port to listen on
-e --testtoolport NNN TCP port used by the test tool on this computer
-a --targetport NNN TCP port of target, for TCP replies
-d --duptimeout Discard duplicate packets received within 1 second
-x --hexdumps Display hex dumps of proxied traffic
(requires the "xxd" program in path)
All ports default to 53 (standard DNS port), and the default will work
unless you have configured the test tool or test subject to use
nonstandard port(s). Note that running udpproxy with the default port
53 requires administrative privileges on some systems.
Usage examples of udpproxy with the test material:
* Testing resolvers:
Execute the following commands on the test server machine:
java -jar c09-dns-response-r1.jar 2>&1 > testtool.out
updproxy.py --duptimeout
Execute a command loop on the test client machine:
(while sleep 1; do testsubject 2>&1; done) > testsubject.out
If the test subject uses TCP in queries, the proxy is not needed and
the packet flow during testing is simple:
2. TCP
test tool -------------------------> test subject
^ |
| 1. TCP |
------------------------------------
If, on the other hand, the test subject uses UDP, using the proxy is
essential and results in the following packet flow:
test tool test subject
| ^ | ^ ^
| | 2. TCP 1. UDP | | |
| ----------udpproxy <---------------- | |
| 3. TCP 4. TCP | |
------------> -------------------- |
5. UDP |
-----------------------
< --------------------- > < ------------------ >
test server test client
The udpproxy first tries to communicate to the test subject via TCP to
gain better packet tracking. It uses UDP as the fallback communication
method if TCP fails.
* Testing servers:
The c09-dns-query-r1.jar should not need the proxy at all, thus the
following example concerns only the zone transfer material.
Execute the following commands on the test server machine:
java -jar c09-dns-zonetransfer-r1.jar 2>&1 > testtool.out
updproxy.py
Run the test subject on the test client machine.
The packet flow during testing can be as follows:
7. TCP
<------------------------------
1. TCP |
test tool -------------------------> test subject
| ^ | ^ ^
| | 3. TCP 2. UDP | | |
| ----------udpproxy <---------------- | |
| 4. TCP 5. TCP | |
------------> -------------------- |
6. UDP |
-----------------------
< --------------------- > < ------------------ >
test server test client
Again, the udpproxy first tries to communicate to the test subject via
TCP. The subject can reply either via TCP or UDP, and if the reply
comes via UDP it is handled by the proxy.
During preliminary testing, the NISCC Vulteam found various DNS
servers that only listen for incoming UDP connections, in violation of
RFC 1035. For testing these kinds of non-standard servers, the team
wrote a proxy program, which accompanies the PROTOS DNS test
material. The command tcpproxy.py --help displays the built-in help
for the available command line options:
-h --help Show this information
-l --listenport <port%gt; TCP port to listen on [5353]
-t --targetport <port> UDP port of target [53]
-a --targetaddress <ip> IP address of target [127.0.0.1]
Run tcpproxy on the same computer that hosts the non-standard server,
and it will proxy the TCP messages sent by the DNS jar (to listenport)
to the server via UDP (to targetport).
Use of latest release (highest number) is recommended. Older
releases are provided for completeness and reproduction.
The error messages might be due to peculiarities or misconfigurations
of a certain subject, possible flaws in the subject or errors in the
test-case.
Test-tool error messages
Error |
Explanation |
Suggested actions |
ERROR expected sequence number !seq value x, got y |
The subject replies to a previous test-case |
Re-run with instrumentation, try different delays |
ERROR TCP socket read failure: Read timed out |
Possible flaw in subject |
Re-run with instrumentation, try different delays |
ERROR Expected 0b0 (under <NOTIFY>) |
Subject replies reserved (Microsoft hijacked) opcodes |
No actions needed |
ERROR Expected 0b0 (under <QUERY>) |
Subject replies reserved (Microsoft hijacked) opcodes |
No actions needed |
ERROR Expected 0b0 (under <STATUS>) |
Subject replies reserved (Microsoft hijacked) opcodes |
No actions needed |
unexpected data |
The subject replies more data than the test-tool expects |
No actions critically needed, replies could be inspected. |
Although this test-suite only deals with a subset of the DNS protocol,
many of the implementations available for evaluation failed to perform
in a robust manner under the test. Some failures had information
security implications, and should be considered as
vulnerabilities. Therefore, this robustness test-material should be
adopted for the evaluation and development of DNS implementations.
We wish to express our gratitude to individual vendors who worked with
us to protect their customers. Last, but not least, we are grateful to
NISCC for their patient help,
advice and active role during the vulnerability process.
The most common sources for vulnerability information and exploits
were covered and cross checked for potential and already known
vulnerabilities in the implementations of the chosen protocol. Typical
sources for finding out about existing vulnerabilities are databases
and mailing-lists. Search-engines may also reveal information on past
vulnerabilities.
There is a plethora of prior DNS vulnerabilities. Some are referenced
below.
-
"Multiple Vendor DNS Message Decompression Remote Denial of Service Vulnerability"
[14]
-
"Squid Proxy DNS Name Resolver Remote Denial Of Service Vulnerability"
[15]
-
"Cisco CNS Network Registrar DNS and DHCP Server Remote Denial of Service Vulnerabilities"
[16]
-
"Multiple Vendor DNS Response Flooding Denial Of Service Vulnerability"
[17]
-
"Sun Solaris in.named Remote Denial of Service Vulnerability"
[18]
-
"Symantec Client Firewall DNS Response Buffer Overflow Vulnerability"
[19]
-
"Microsoft ISA Server DNS Intrusion Filter Denial of Service Vulnerability"
[20]
-
"Smart IRC Daemon Remote Client DNS Buffer Overflow Vulnerability"
[21]
-
"Posadis DNS Request Question Section Denial Of Service Vulnerability"
[22]
-
"Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow Vulnerability"
[23]
-
"Middleman net_dns() Frame Pointer Overwrite Vulnerability"
[24]
-
"PADL Software nss_ldap DNS Buffer Overflow Vulnerability"
[25]
-
"Sendmail DNS Map TXT Record Buffer Overflow Vulnerability"
[26]
-
"Multiple Vendor libc DNS Resolver Buffer Overflow Vulnerability"
[27]
-
"Ethereal DNS Dissector Infinite Loop Denial of Service Vulnerability"
[28]
-
"Bradford Barrett Webalizer Reverse DNS Buffer Overflow Vulnerability"
[29]
-
"Posadis DNS Server Logging Format String Vulnerability"
[30]
-
"Squid Compressed DNS Buffer Overflow Vulnerability"
[31]
-
"Apple MacOS 9 Classic Reverse DNS Lookup DoS Vulnerability"
[32]
-
"DNRD DNS Request/Reply Denial Of Service Vulnerability"
[33]
-
"Avaya Argent Office Malformed DNS Packet Denial of Service Vulnerability"
[34]
-
"Multiple IRCd DNS Denial of Service Vulnerability"
[35]
-
"BitchX DNS Buffer Overflow Vulnerability"
[36]
-
"AntiSniff DNS Overflow Vulnerability"
[37]
-
"Microsoft Windows 2000 DNS Memory Leak Vulnerability"
[38]
-
"Multiple Sniffer Vendor DNS Decode Vulnerability"
[39]
-
"Windows NT DNS Resolution Remote Buffer Overflow Vulnerability"
[40]
ISC Bind, being the original and oldest DNS implementation, has a long
history of vulnerabilities [41]. The Common
Vulnerabilities and Exposures project has an exhaustive list on DNS
vulnerabilities [42].
During the prerelease phase all verified vulnerabilities were reported
to the respective vendors. The vulnerability reports were tracked by
NISCC in the role of independent coordinator and advisor. An attempt
was made to seek a channel to distribute the test material to vendors
whose products we were not able to obtain for testing.
Vendor statements or security advisories issued in order to address
the vulnerabilities uncovered by this test-suite are
collected. Advisories that we are aware of are listed here-in:
-
- [1]
-
"PROTOS - Security Testing of Protocol Implementations".
University of Oulu.
http://www.ee.oulu.fi/research/ouspg/protos.
-
- [2]
-
P. Mockapetris.
(1987).
"DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION".
IETF.
http://www.ietf.org/rfc/rfc1035.txt.
-
- [3]
-
D. Eastlake 3rd, E. Brunner-Williams, B. Manning.
(2000).
"Domain Name System (DNS) IANA Considerations".
IETF.
http://www.ietf.org/rfc/rfc2929.txt.
-
- [4]
-
P. Vixie, S. Thomson, Y. Rekhter, J. Bound.
(2000).
"Dynamic Updates in the Domain Name System (DNS UPDATE)".
IETF.
http://www.ietf.org/rfc/rfc2136.txt.
-
- [5]
-
P. Vixie.
(1999).
"Extension Mechanisms for DNS (EDNS0)".
IETF.
http://www.ietf.org/rfc/rfc2671.txt.
-
- [6]
-
B. Wellington.
(2000).
"Secure Domain Name System (DNS) Dynamic Update".
IETF.
http://www.ietf.org/rfc/rfc3007.txt.
-
- [7]
-
P. Vixie, O. Gudmundsson, D. Eastlake 3rd, B. Wellington.
(2000).
"Secret Key Transaction Authentication for DNS (TSIG)".
IETF.
http://www.ietf.org/rfc/rfc2845.txt.
-
- [8]
-
D. Eastlake 3rd, C. Kaufman.
(1997).
"Domain Name System Security Extensions".
IETF.
http://www.ietf.org/rfc/rfc2065.txt.
-
- [9]
-
M. Crawford, C. Huitema.
(2000).
"DNS Extensions to Support IPv6 Address Aggregation and Renumbering".
IETF.
http://www.ietf.org/rfc/rfc2874.txt.
-
- [10]
-
D. Eastlake.
(1999).
"Domain Name System Security Extensions".
IETF.
http://www.ietf.org/rfc/rfc2535.txt.
-
- [11]
-
D. Eastlake.
(2000).
"DNS Request and Transaction Signatures ( SIG(0)s )".
IETF.
http://www.ietf.org/rfc/rfc2931.txt.
-
- [12]
-
A. Salamon.
(2005).
"DNS Resources Directory".
http://www.dns.net/dnsrd/.
-
- [13]
-
R. Arends, J. Schlyter.
(2004).
"fpdns - Fingerprinting DNS servers".
http://www.rfc.se/fpdns/.
-
- [14]
-
Dr. Steve Beaty.
(2005).
"Multiple Vendor DNS Message Decompression Remote Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/13729.
-
- [15]
-
Squid.
(2005).
"Squid Proxy DNS Name Resolver Remote Denial Of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/12551.
-
- [16]
-
Cisco.
(2004).
"Cisco CNS Network Registrar DNS and DHCP Server Remote Denial of Service Vulnerabilities".
Securityfocus.
http://www.securityfocus.com/bid/11793.
-
- [17]
-
Roy Arends and Jakob Schlyter.
(2004).
"Multiple Vendor DNS Response Flooding Denial Of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/11642.
-
- [18]
-
Sun.
(2004).
"Sun Solaris in.named Remote Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/11118.
-
- [19]
-
eEye.
(2004).
"Symantec Client Firewall DNS Response Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/10334.
-
- [20]
-
Mike Fratto.
(2003).
"Microsoft ISA Server DNS Intrusion Filter Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/7145.
-
- [21]
-
Knud Erik Højgaard..
(2003).
"Smart IRC Daemon Remote Client DNS Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6924.
-
- [22]
-
Posadis.
(2003).
"Posadis DNS Request Question Section Denial Of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6799.
-
- [23]
-
Ulf Harnhammar.
(2003).
"Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6690.
-
- [24]
-
qitest1@bespin.org.
(2003).
"Middleman net_dns() Frame Pointer Overwrite Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6584.
-
- [25]
-
PADL Software.
(2002).
"PADL Software nss_ldap DNS Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6129.
-
- [26]
-
Joost Pol and Anton Rang.
(2002).
"Sendmail DNS Map TXT Record Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/5122.
-
- [27]
-
Joost Pol.
(2002).
"Multiple Vendor libc DNS Resolver Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/5100.
-
- [28]
-
Ethereal.
(2002).
"Ethereal DNS Dissector Infinite Loop Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/4807.
-
- [29]
-
spybreak@host.sk.
(2002).
"Bradford Barrett Webalizer Reverse DNS Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/4504.
-
- [30]
-
kkr@dekode.org.
(2002).
"Posadis DNS Server Logging Format String Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/4378.
-
- [31]
-
zen-parse@gmx.net.
(2002).
"Squid Compressed DNS Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/4363.
-
- [32]
-
Jason Linhart.
(2002).
"Apple MacOS 9 Classic Reverse DNS Lookup DoS Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/4151.
-
- [33]
-
Andrew Griffits.
(2002).
"DNRD DNS Request/Reply Denial Of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/3928.
-
- [34]
-
Jacek Lipkowski.
(2001).
"Avaya Argent Office Malformed DNS Packet Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/8976.
-
- [35]
-
David Luyer.
(2000).
"Multiple IRCd DNS Denial of Service Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/2086.
-
- [36]
-
nimrood@onebox.com.
(2000).
"BitchX DNS Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/2087.
-
- [37]
-
Hugo Breton.
(2000).
"AntiSniff DNS Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/1207.
-
- [38]
-
Microsoft.
(2000).
"Microsoft Windows 2000 DNS Memory Leak Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/2007.
-
- [39]
-
scut@nb.in-berlin.de and Hugo Breton.
(1999).
"Multiple Sniffer Vendor DNS Decode Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/1165.
-
- [40]
-
unknown.
(1999).
"Windows NT DNS Resolution Remote Buffer Overflow Vulnerability".
Securityfocus.
http://www.securityfocus.com/bid/6898.
-
- [41]
-
ISC.
(2005).
"BIND Vulnerabilities".
ISC.
http://www.isc.org/index.pl?/sw/bind/bind-security.php.
-
- [42]
-
ISC.
(2005).
"CVE database search results on DNS".
ISC.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dns.
A survey of other existing test-suites related to DNS was conducted.
-
http://www.codenomicon.com/products/internet/dns/
"Codenomicon DNS Test Tool helps proactively eliminate security flaws
in DNS implementations."
-
http://wiki.ethereal.com/SampleCaptures#head-c9783b0549c8c653d43b4837d148167f805581a9
-
Packet capture files containing DNS messages with malformed compression.
[This page is CSS2 enabled. Your browser might not fully support it]
|