DelphinusDNS Blog

(the latest about delphinusdnsd)

A possible MITM attack caused me to find a vulnerability with AXFR's

April 14th, 2023

Please, if you run below 1.7.3 it's time to upgrade. 1.7.3 and master branch have the fix as of today. A few weeks ago my amsterdam vps did an AXFR. What was weird about this AXFR that it was blank, but it went through. This caused my nameserver to die. I can't rule out that someone mitm'ed the transfer. It was highly odd. So last night I had the idea and this morning and afternoon I implemented custom code to see if my hypothesis was right. It was correct, the replicants axfr did not check whether the answer even had any TSIG's in it. In a mitm the TSIG's could have been removed and new or replaced records could have been put in, it would have passed it. Now then, the fix is that we require a TSIG to be seen if we use TSIG authentication. Also if there is trailing data after the TSIG this constitutes as an error. On the master branch the fix has signature e5a3d3828452127df428a47c77f8b3a8a4722451 and on the STABLE_1_7 branch it has signature a798b07e20065050c6178ae69f0fdd3e3899d199. Feel free to use either one. Though the master branch has some new code, it hasn't seen much production use yet. So, the sureshot use should be 1.7.3 release.

I found the vulnerability, but was I the first one ever? The mind boggles.


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS