search

paulc / dnslib

A Python library to encode/decode DNS wire-format packets
https://github.com/paulc/dnslib
BSD 2-Clause "Simplified" License
295 stars 84 forks source link

Client does not validate DNS transaction id #30

Closed daniel4x closed 2 years ago

daniel4x commented 2 years ago

Hi,

dnslib client does not validate DNS transaction id (TXID) as specified in the RFC. This considered as implementation bug. Attackers can use this to redirect users to their malicious name servers. I know the client created for testing but other projects using dnslib as a dependency might be affected as well.

I suggest to add a simple validate:

#... request code
a_pkt = q.send(address,port,tcp=args.tcp)
a = DNSRecord.parse(a_pkt)

if q.header.id != a.header.id:
    raise DNSError('Response transaction id does not match query transaction id')
carnil commented 2 years ago

This issue appears to have been assigned a CVE, CVE-2022-22846.

paulc commented 2 years ago

Thanks - as you note client.py is for testing but should clearly check TXIDs. I've also added a note in the README to ensure that TXID is validated. I've updated and released a new version on PyPi.

The CVE seems a bit ridiculous - sounds like someone just generating random CVEs to look good on a resume (it isn't actually accurate as it is not a library function - dnslib just parses the packets)