Before the order

DNS（Domain Name Server, Domain name server ） It's domain name (domainname) Corresponding to it IP Address (IP address) Converted servers .DNS A domain name is saved in (domain name) Corresponding to it IP Address (IP address) To resolve the domain name of the message . Domain name is Internet The name of a computer or computer unit , Used to identify the electronic orientation of the computer during data transmission （ Sometimes it also refers to geographical location ）. A domain name is a string of names separated by dots , Usually contains the name of the organization , And always include two or three letter suffixes , To indicate the type of organization or the country or region of the domain .

DNS It's the computer domain name system (Domain NameSystem or Domain Name Service) Abbreviation , It consists of a domain name parser and a domain name server . A domain name server is a server that stores the domain names of all hosts in the network IP Address , And has the ability to convert the domain name to IP Address function server . The domain name must correspond to one IP Address , One IP Address can have multiple domain names , and IP The address doesn't have to have a domain name . The domain name system adopts a hierarchical structure similar to a directory tree . Domain name servers are usually The client / The server Server side in mode , It has two main forms ： master server and Forwarding server . Map the domain name to IP The process of addressing is called “ Domain name resolution ”.

What to do ？

2020 year CVE-2020-1350 After the leak is exposed , A bunch of people are right DNS server Exploit the vulnerability , Many new loopholes have been discovered , Because I did some research during my internship , So I want to summarize DNS A loophole in the , The vulnerability corresponds to poc You may or may not find it on the Internet , But because DNS The protocol itself is simple , Construct according to the vulnerability poc It's not hard .

DNS Attack surface

DNS Query/Response
DNS The parsing process is divided into recursive query and iterative query , Recursive query is a query centered on the local name server , Recursive queries are the default , Iterative query is based on DNS client , That is, customer machine centered query . Actually DNS Client and local name server are recursive , The local name server and other name servers are iterative .

Zone Transfer/DNS Notify
When a new DNS The server is added to the zone and configured to be from DNS Server time , It performs a full zone transfer , In the main DNS Get a complete copy of the resource record on the server ; meanwhile , To ensure data synchronization , When the primary domain name server is updated, it will also notify the secondary domain name server in time to update （ Incremental area transfer ）.

Dynamic Update
Allow authorized updaters updater To authority DNS Dynamic increase of data in the server area 、 Delete resource records .

The following table comes from DNS Safety practices
Attack surface reference ：Secure Domain Name System（DNS）Deployment Guide

Vulnerability profile

DNS Query/Response

CVE-2020-1350

The flaw is in SigWireread, This function will query the records from the domain name server , For returned Sig Record for processing , This vulnerability has been disclosed on the Internet exp, I'm right exp It has been analyzed , link ad locum

CVE-2020-1228/0836

There are two memory leaks in iterative queries , Received return message , Some variables were not released

CVE-2021-24078

When receiving the return message from the domain name server , Yes 0xf0f0 To store messages , But this type of message is DNS The type used by the server , The processing code is different , Cause confusion

DNS Dynamic update

CVE-2021-26877

TxtFileWrite Function is to write to the domain file , Dynamic update

CVE-2021-26897

SigFileWrite Function receive Sig Record updates , The buffer does not consider overflow

CVE-2021-26893

Integer underflow ,Key Record dynamic update if the length is less than 4 Words

CVE-2021-26894

Atma Integer underflow occurred during record update

CVE-2021-26895

Yes AAAA Integer underflow occurred during record update

CVE-2021-26896

wks A similar overflow vulnerability can also occur in the record

CVE-2021-xxxxx

Nsec3FileWrite, Unknown number , May overflow a byte

CVE-2021-xxxxx

Name_WriteCountNameToBufferAsDottedName, take DNS The encoded domain name is converted into a string ,memcpy No boundary verification

DNS Management side vulnerability

Here is CVE-2021-33749,CVE-2021-33750,CVE-2021-33752,CVE-2021-33756
KeyFlatWrite, Manage end-to-end key Record reading will cause overflow

NxtFlatWrite, Similarly, the cache is not verified

WKSFlatWrite, The cache is not verified either

SigFlatWrite, There is no limit on the length of the record