hdhoang/homes - Change RNLO56WNAMBEJ4BWFTERQJJKWOQJCNM4VZR4HDXOL2GQRBZMLWVQC

push through

Created by hdhoang on January 18, 2023

RNLO56WNAMBEJ4BWFTERQJJKWOQJCNM4VZR4HDXOL2GQRBZMLWVQC

Dependencies

In channels

main

Change contents

Replacement in wrong-dns/src/main.rs at line 41 [4.72]

B:BD[3.377] → [3.377:424]

                println!("server ignored us!")

[3.377]

[3.424]

                println!("server ignored us, perhaps: {e:?}");

Insertion in wrong-dns/README.md at line 2 [5.1]

[5.39]


we run a recursive resolver for historical reason. these recent months, we started seeing messages like this in unbound.log, with different names:

Replacement in wrong-dns/README.md at line 5 [5.1]

B:BD[5.41] → [2.4:214]

There is a defect-attractor in DNS-packet construction. When people writes `.`-ending in a DNS name in config (eg in order to avoid search-suffix behaviour), some software will construct an invalid DNS query:

[5.41]

[5.263]

```text
info: resolving cctv-api.cdn20.com.cd23f.com. TYPE0 CLASS256
info: resolving cctv-api.cdn20.com.chnc.cloudcsp.com. TYPE0 CLASS256
info: resolving cctv-api.wswebpic.com.chnc.cloudcsp.com. TYPE0 CLASS256
info: resolving overseatest.livehttp.speedcdns.com. TYPE0 CLASS256
info: resolving wangsu-1.ttyuyin.com.cdn20.com. TYPE0 CLASS256
info: resolving wangsu-3.ttyuyin.com.cdn20.com. TYPE0 CLASS256
```
afaik we have no relationship with such infrastructure (CCTV in some Chinese cloud?). we blocked the most queried labels, and move on to other things. however i have a nagging question: what is that?
i still have no details about the chinese parties, but after some searching & reproduction, i think there is a defect-attractor in DNS-packet construction. in order to avoid search-suffix behaviour, people write `.`-ending names in config, and some software will construct an invalid DNS query:

Replacement in wrong-dns/README.md at line 22 [5.1]
B:BD[5.322] → [5.322:362]
```
The sequence is potentially like this:
```
[5.322]
[5.362]
```
the sequence is potentially like this:
```

Replacement in wrong-dns/README.md at line 24 [5.1]

B:BD[5.364] → [5.364:387]

B:BD[5.387] → [6.4:258]

1.  Split name by `.`
1.  For each item, construct `${length}${label}` segments. The final empty `label` gets converted to its own `0x0` byte
2.  Concat the segments together, then append the empty label `0x0`
1.  Append the DNS type & class (always IN/`0x1` for internet)

[5.364]

[5.641]

1.  split name by `.`.
1.  for each item, construct `${length}${label}` segments. the final empty `label` gets converted to its own `0x0` byte.
1.  concat the segments together, then append the empty label `0x0`, regardless of previous step.
1.  append the DNS type & class (always IN/`0x1` for Internet)

Replacement in wrong-dns/README.md at line 33 [5.1]

B:BD[5.837] → [5.837:903]

03 ?? ?? ?? 00  00 01     00 01
ll  c  o  m .  TYPE A CLASS  IN

[5.837]

[5.903]

03 ?? ?? ?? 00|  00 01|    00 01
ll  c  o  m . | TYPE A|CLASS  IN

Replacement in wrong-dns/README.md at line 37 [5.1]

B:BD[5.913] → [5.913:949]

B:BD[5.949] → [6.259:331]

03 ?? ?? ?? 00  00 00     01 00 01
ll  c  o  m .  TYPE 0 CLASS 256 FORMAT ERROR, i hope the server answer

[5.913]

[5.1001]

03 ?? ?? ?? 00|  00 00|    01 00 01
ll  c  o  m . | TYPE 0|CLASS 256 FORMAT ERROR, i hope the server answer

Replacement in wrong-dns/README.md at line 41 [5.1]

B:BD[3.1377] → [2.215:442]

For more background, https://jvns.ca/blog/2022/09/12/why-do-domain-names-end-with-a-dot-/#in-a-dns-request-response-domain-names-don-t-have-a-trailing or view responses in various formats https://dnsinstitute.com/webdnsquery/

[3.1377]

[3.1468]

for more background, check out [jvns' blog](https://jvns.ca/blog/2022/09/12/why-do-domain-names-end-with-a-dot-/#in-a-dns-request-response-domain-names-don-t-have-a-trailing) or view responses in various formats with [DNS institute tool](https://dnsinstitute.com/webdnsquery/).

Replacement in wrong-dns/README.md at line 43 [5.1]

B:BD[3.1470] → [3.1470:1697]

There is a different case from 2001, where a (windows-based?) client sent TYPE & CLASS as little-endian, not big-endian, giving TYPE256 CLASS256 https://groups.google.com/g/comp.protocols.dns.bind/c/pIVLil7p8wA/m/Y0bxMyn5bI0J

[3.1470]

[6.332]

there is a [different case from 2001](https://groups.google.com/g/comp.protocols.dns.bind/c/pIVLil7p8wA/m/Y0bxMyn5bI0J), where a (windows-based?) client sent TYPE & CLASS as little-endian, not big-endian, giving "TYPE256 CLASS256" query.

Replacement in wrong-dns/README.md at line 49 [5.1]
B:BD[3.1764] → [3.1764:1795]
```
Catching in wireshark/tshark:
```
[3.1764]
[3.1795]
```
catching in wireshark/tshark:
```
Replacement in wrong-dns/README.md at line 53 [5.1]
B:BD[3.1820] → [3.1820:1832]
```
In tcpdump
```
[3.1820]
[3.1832]
```
or with tcpdump/pcap filter:
```

Replacement in wrong-dns/README.md at line 57 [5.1]

∅:D[3.1876] → [5.1008:1129]

B:BD[5.1008] → [5.1008:1129]

B:BD[5.1129] → [6.352:537]

I want to generate those wrong Questions on-demand, to observe and quote the various DNS servers' log lines about them.
As well as putting all kind of TYPEs in the Q and see what they get pushed out to [https://www.netmeister.org/blog/dns-rrs.html]. For example TYPE0 CLASS8448 is a corruption of SRV rr

[3.1876]

[5.1317]

i want to generate those wrong Questions on-demand, to observe and quote the various DNS servers' log lines about them.
As well as putting all kind of TYPEs in the Q and see what they get intepreted as [https://www.netmeister.org/blog/dns-rrs.html].
```bash
$ declare -a TYPES=(type1 type2 cname type6 mx txt aaaa srv dname type65 type255 caa)
```

Replacement in wrong-dns/README.md at line 86 [5.1]

B:BD[6.560] → [3.2065:2138]

∅:D[3.2138] → [6.629:1059]

B:BD[6.629] → [6.629:1059]

I chose NLnet Labs' `domain` crate, because it is self-contained, comes
with a resolver. Fortunately it exposes the above hand-off function to give users' direct access to parsed domain bytes. I haven't wrapped my head around how to properly print out all kinds of answer data yet, so i resigned to asserting that the queried server ignores/refuses the bad questions. I can construct a bad `Dname`, pinky-promise to `domain` that it is good, and let it help me with the rest of DNS+UDP required data!

[6.560]

[7.87]

i chose NLnet Labs' `domain` crate, because it is self-contained, comes
with a resolver. fortunately it exposes the above hand-off function to give users' direct access to parsed domain bytes. i haven't wrapped my head around how to properly print out all kinds of answer data yet, so i resigned to asserting that the queried server ignores/refuses the bad questions. i can construct a bad `Dname`, pinky-promise to `domain` that it is good, and let it help me with the rest of DNS+UDP wrapping & handling!
an alternative would be `trust-dns`'s `proto` & `client` crates. i don't think its server-side implementation is ready yet.
I queried some usual resource types against an unbound server:
```bash
$ declare -a TYPES=(type1 type2 cname type6 mx txt aaaa srv dname type65 type255 caa)
$ for type in ${TYPES[*]}; do cargo r -q -- @unbound.address $type; done
A: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x01\0"
NS: server ignored us, perhaps: Custom { kind: TimedOut, error: "all timed out" }
CNAME: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x05\0"
SOA: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x06\0"
MX: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x0f\0"
TXT: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x10\0"
AAAA: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\x1c\0"
SRV: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0!\0"
DNAME: server ignored us, perhaps: Custom { kind: TimedOut, error: "all timed out" }
HTTPS: server ignored us, perhaps: Custom { kind: TimedOut, error: "all timed out" }
ANY: b"\0\0\x81\x85\0\x01\0\0\0\0\0\0\x07example\0\0\0\xff\0"
CAA: server ignored us, perhaps: Custom { kind: TimedOut, error: "all timed out" }
```
"perhaps" is because, as we see below, the app sometimes didn't receive response data. unbound logs clear messages:

Replacement in wrong-dns/README.md at line 113 [5.1]

B:BD[7.89] → [6.1060:1126]

An alternative would be `trust-dns`'s `proto` & `client` crates.

[7.89]

[6.1126]

```text
unbound[1626:0] info: resolving example. TYPE0 CLASS256
unbound[1626:4] info: resolving example. TYPE0 CLASS512
unbound[1626:2] info: resolving example. TYPE0 CLASS1280
unbound[1626:3] info: resolving example. TYPE0 CLASS1536
unbound[1626:1] info: resolving example. TYPE0 CLASS3840
unbound[1626:5] info: resolving example. TYPE0 CLASS4096
unbound[1626:2] info: resolving example. TYPE0 CLASS7168
unbound[1626:4] info: resolving example. TYPE0 CLASS8448
unbound[1626:3] info: resolving example. TYPE0 CLASS9984
unbound[1626:3] info: resolving example. TYPE0 CLASS65280
```

Replacement in wrong-dns/README.md at line 126 [5.1]
B:BD[6.1128] → [6.1128:1160]
```
Here is tcpdump's translation:
```
[6.1128]
[6.1160]
```
Here is tcpdump's translation of the traffic:
```

Replacement in wrong-dns/README.md at line 130 [5.1]

B:BD[7.141] → [7.141:168]

0 FormErr [0q] 0/0/0 (12)

[7.141]

[7.168]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 256)? example. (26)
0 Refused 0/0/0 (25)

Replacement in wrong-dns/README.md at line 134 [5.1]

B:BD[7.238] → [7.238:281]

B:BD[7.308] → [7.308:352]

0+ [1au] Type0 (Class 768)? example. (37)
0+ [1au] Type0 (Class 1024)? example. (37)

[7.211]

[7.379]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 512)? example. (26)
0 Refused 0/0/0 (25)

Insertion in wrong-dns/README.md at line 138 [5.1]

[7.423]

[7.450]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 1280)? example. (26)
0 Refused 0/0/0 (25)

Replacement in wrong-dns/README.md at line 142 [5.1]

B:BD[7.521] → [7.521:565]

B:BD[7.592] → [7.592:636]

B:BD[7.663] → [7.663:707]

B:BD[7.734] → [7.734:778]

B:BD[7.805] → [7.805:849]

B:BD[7.876] → [7.876:920]

B:BD[7.947] → [7.947:991]

B:BD[7.1018] → [7.1018:1062]

0+ [1au] Type0 (Class 1792)? example. (37)
0+ [1au] Type0 (Class 2048)? example. (37)
0+ [1au] Type0 (Class 2304)? example. (37)
0+ [1au] Type0 (Class 2560)? example. (37)
0+ [1au] Type0 (Class 2816)? example. (37)
0+ [1au] Type0 (Class 3072)? example. (37)
0+ [1au] Type0 (Class 3328)? example. (37)
0+ [1au] Type0 (Class 3584)? example. (37)

[7.494]

[7.1089]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 1536)? example. (26)
0 Refused 0/0/0 (25)

Insertion in wrong-dns/README.md at line 146 [5.1]

[7.1133]

[7.1160]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 3840)? example. (26)
0 Refused 0/0/0 (25)

Insertion in wrong-dns/README.md at line 150 [5.1]

[7.1204]

[3.2139]

0 FormErr 0/0/1 (36)
0+ Type0 (Class 4096)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] Type0 (Class 7168)? example. (37)
0 FormErr 0/0/1 (36)
0+ Type0 (Class 7168)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] Type0 (Class 8448)? example. (37)
0 FormErr 0/0/1 (36)
0+ Type0 (Class 8448)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] Type0 (Class 9984)? example. (37)
0 FormErr 0/0/1 (36)
0+ Type0 (Class 9984)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] Type0 (Class 16640)? example. (37)
0 FormErr 0/0/1 (36)
0+ Type0 (Class 16640)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] Type0 (Class 65280)? example. (37)
0 FormErr 0/0/1 (36)
0+ Type0 (Class 65280)? example. (26)
0 Refused 0/0/0 (25)
0+ [1au] A (Class 256)? example. (37)
0 FormErr 0/0/1 (36)
```
(you see why i said `perhaps`). this last one `A (Class 256)?` is from a `CAA` rtype. its high byte gets reinterpreted as `type A` again! but the `Class 256` is never fixable, and the whole packet is malformed beyond repair anyhow.
i tested again ISC bind, but it says only:

Replacement in wrong-dns/README.md at line 181 [5.1]

∅:D[3.2141] → [7.1231:1297]

B:BD[7.1231] → [7.1231:1297]

0+ [1au] A (Class 256)? example. (37)
0 FormErr [0q] 0/0/0 (12)

[3.2141]

[7.1297]

```text
client: warning: client 4.5.6.7#33870: message parsing failed: unexpected end of input
```
CoreDNS, NLnet NSD doesn't log anything about these at all.
of the cloudflare addresses, .1 and .3 replies quickly & i can print the response, but i miss .2 traffic consistently:
```bash
$ for s in 1 2 3; do cargo r -q -- @1.1.1.$s aaaa; done
AAAA: b"\0\0\x81\x84\0\x01\0\0\0\0\0\0\x07example\0\0\0\x1c\0"
AAAA: server ignored us, perhaps: Custom { kind: TimedOut, error: "all timed out" }
AAAA: b"\0\0\x81\x84\0\x01\0\0\0\0\0\0\x07example\0\0\0\x1c\0"

Replacement in wrong-dns/README.md at line 196 [5.1]

B:BD[6.1165] → [6.1165:1367]

This last one `A (Class 256)?` was from a `CAA` rtype. Its high byte gets reinterpreted as `type A` again! But the `Class 256` is never fixable, and the whole packet is malformed beyond repair anyhow.

[6.1165]

[3.2142]

nothing comes back from .2:
```text
0+ [1au] Type0 (Class 7168)? example. (37)
0 NotImp 0/0/0 (25)
0+ [1au] Type0 (Class 7168)? example. (37)
0+ [1au] Type0 (Class 7168)? example. (37)
0 NotImp 0/0/0 (25)
```

Replacement in wrong-dns/README.md at line 206 [5.1]

B:BD[3.2144] → [3.2144:2269]

bind9 and cloudflare DNS servers, quad-9, ???, ??? politely return `Not Implemented`, while `resolved`, google dns, adguard

[3.2144]

i hope someone out there come across this & figure out whatever is happening with the clients sending these queries.