resolved: implement RFC5452

This improves the resilience against cache poisoning by being stricter about only accepting responses that match precisely the requst they are in reply to. It should be noted that we still only use one port (which is picked at random), rather than one port for each transaction. Port randomization would improve things further, but is not required by the RFC.
2015-07-09 02:58:15 +02:00 · 2015-07-09 02:58:15 +02:00 · 29815b6c60
parent 8300ba218e
commit 29815b6c60
2 changed files with 13 additions and 4 deletions
--- a/1
+++ b/1
@ -354,7 +354,6 @@ Features:
  - dname
  - cname on PTR (?)
  - maybe randomize DNS UDP source ports
-  - maybe compare query section of DNS replies

 * Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely

--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@ -338,10 +338,15 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
        if (t->scope->protocol == DNS_PROTOCOL_DNS) {

                /* For DNS we are fine with accepting packets on any
-                 * interface, but the source IP address must be one of
-                 * a valid DNS server */
+                 * interface, but the source IP address must be the
+                 * one of the DNS server we queried */

-                if (!dns_scope_good_dns_server(t->scope, p->family, &p->sender))
+                assert(t->server);
+
+                if (t->server->family != p->family)
+                        return;
+
+                if (!in_addr_equal(p->family, &p->sender, &t->server->address))
                        return;

                if (p->sender_port != 53)
@ -403,6 +408,11 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
                return;
        }

+        /* Only consider responses with equivalent query section to the request */
+        if (!dns_question_is_superset(p->question, t->question) ||
+            !dns_question_is_superset(t->question, p->question))
+                dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
+
        /* According to RFC 4795, section 2.9. only the RRs from the answer section shall be cached */
        dns_cache_put(&t->scope->cache, p->question, DNS_PACKET_RCODE(p), p->answer, DNS_PACKET_ANCOUNT(p), 0, p->family, &p->sender);