Closed daniel4x closed 2 years ago
This issue appears to have been assigned a CVE, CVE-2022-22846.
Thanks - as you note client.py is for testing but should clearly check TXIDs. I've also added a note in the README to ensure that TXID is validated. I've updated and released a new version on PyPi.
The CVE seems a bit ridiculous - sounds like someone just generating random CVEs to look good on a resume (it isn't actually accurate as it is not a library function - dnslib just parses the packets)
Hi,
dnslib client does not validate DNS transaction id (TXID) as specified in the RFC. This considered as implementation bug. Attackers can use this to redirect users to their malicious name servers. I know the client created for testing but other projects using dnslib as a dependency might be affected as well.
I suggest to add a simple validate: