search

styxyang / dnsmasq-chinadns

A patched version of dnsmasq which filters out some spurious IP
GNU General Public License v2.0
119 stars 27 forks source link

不能检测DNS劫持中的空包污染问题 #10

Closed aa65535 closed 10 years ago

aa65535 commented 10 years ago

关于空包污染: http://www.lifetyper.com/2014/07/the-bogus-empty-response-from-dns-hijack-of-gfw.html

这个问题主要出现在国内DNS上,查询结果:

$ dig scontent-a.cdninstagram.com @114.114.114.114

; <<>> DiG 9.10-P2 <<>> scontent-a.cdninstagram.com @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26312
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; AUTHORITY SECTION:
cdninstagram.com.       30      IN      NS      b.ns.igcdn.com.
cdninstagram.com.       30      IN      NS      a.ns.igcdn.com.

;; ADDITIONAL SECTION:
a.ns.igcdn.com.         30      IN      A       69.171.239.11
b.ns.igcdn.com.         30      IN      A       69.171.255.11

;; Query time: 12 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Fri Aug 01 12:32:53 2014
;; MSG SIZE  rcvd: 129

$ dig scontent-a.cdninstagram.com @202.96.96.68

; <<>> DiG 9.10-P2 <<>> scontent-a.cdninstagram.com @202.96.96.68
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46616
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; Query time: 6 msec
;; SERVER: 202.96.96.68#53(202.96.96.68)
;; WHEN: Fri Aug 01 12:35:25 2014
;; MSG SIZE  rcvd: 56

使用谷歌 DNS 是有 A记录的

$ dig scontent-a.cdninstagram.com @8.8.4.4

; <<>> DiG 9.10-P2 <<>> scontent-a.cdninstagram.com @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43137
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; ANSWER SECTION:
scontent-a.cdninstagram.com. 41 IN      A       31.13.79.10

;; Query time: 163 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Aug 01 12:43:24 2014
;; MSG SIZE  rcvd: 72

ChinaDNS-C 可以处理这个问题,可以参考一下。

styxyang commented 10 years ago

我和你的查询结果有点不一样,我这里是直接 fail 掉了,而不是像那篇博客里说的会返回 NOERROR。

› dig scontent-a.cdninstagram.com @114.114.114.114

; <<>> DiG 9.8.3-P1 <<>> scontent-a.cdninstagram.com @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51915
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; Query time: 54 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Fri Aug  1 15:01:06 2014
;; MSG SIZE  rcvd: 45

另外,202.96.96.68 我怎么查什么都是 REFUSED

› dig scontent-a.cdninstagram.com @202.96.96.68

; <<>> DiG 9.8.3-P1 <<>> scontent-a.cdninstagram.com @202.96.96.68
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 3564
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; Query time: 26 msec
;; SERVER: 202.96.96.68#53(202.96.96.68)
;; WHEN: Fri Aug  1 15:04:24 2014
;; MSG SIZE  rcvd: 45

其实呢我这边,除了 8.8.8.8 和 v2ex 的 178.79.131.110 能返回一个 scontent-a.cdninstagram.com 的 IP,其他的 DNS,无论是 114 还是教育网,都是返回 SERVFAIL,好像都没有遇到博客里说的 RD 位被修改的问题。

不过我还是增加了一些代码,在收到请求的时候把 RD 位加到 flag 里去,在收到服务器的返回时,检查返回的 RD 和 请求的 RD 是否一样,不一样的话重试。

你试试看新的 commit 能不能解决这个问题,因为我这边暂时没有遇到。如果检测到这种问题的话,我在 log 里打印了一句信息

aa65535 commented 10 years ago

@styx-hy 可能是地区不同吧,我的网络是杭州电信,202.96.96.68 是杭州电信的DNS。 稍后我编译测试一下。到时候回复结果。

aa65535 commented 10 years ago

现在查询结果是正常的了

$ dig scontent-a.cdninstagram.com

; <<>> DiG 9.10-P2 <<>> scontent-a.cdninstagram.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59948
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;scontent-a.cdninstagram.com.   IN      A

;; ANSWER SECTION:
scontent-a.cdninstagram.com. 6  IN      A       31.13.79.10

;; Query time: 5 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Fri Aug 01 16:07:21 2014
;; MSG SIZE  rcvd: 72
styxyang commented 10 years ago

log 里有打印类似 flags: 512, hb3_rd: 1 的消息吗?

aa65535 commented 10 years ago

@styx-hy 嗯,日志里有的

Aug 1 16:06:46 PandoraBox daemon.warn dnsmasq[26916]: flags: 512, hb3_rd: 0

styxyang commented 10 years ago

ok,那就是说请求里面包含了 recursive desired,但是返回的里面对应的位被置成 0 了。那就算解决咯~

aa65535 commented 10 years ago

@styx-hy 目前是没问题了,这种情况也不多见。