
Multiple Heap Buffer Overflows In the Windows DNS Client - dijit
https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/
======
bluejekyll
I’ve been working on [https://github.com/bluejekyll/trust-
dns](https://github.com/bluejekyll/trust-dns) for a bit over two years now.
About a year ago a new contributor added Windows build support and testing
with AppVeyor, which was awesome.

Originally I started this project more for server side stuff, but recently
have been very focused on a full resolver which could be used as a replacement
for the OS system resolver.

A question for HN, what would you like to see in this context that would make
a replacement resolver on Windows something you’d use? To be clear, it’s not
something you could use dropin right now, it can only be used as an internal
library to Rust at-the-moment, but I’ve been planning to start working on a
daemon that could act as a caching system resolver in the next little bit.

~~~
gue5t
On Linux, I'd really love a caching resolver that _saves its cache
persistently_. I don't understand why the machine's power-on state has
anything to do with the validity of the DNS cache; if the entries were good at
shutdown time they ought to be good enough in a few seconds when I boot again.

~~~
bluejekyll
That's very feasible, as I already have the persistence layer from the server
component. So that could be reused easily. It's also portable, so would work
on all the currently supported platforms, Linux, macOS and Windows.

------
rando444
The important bit is kind of buried in the middle:

 _It is important to note that as the record is malformed, it should not
traverse any sane DNS resolvers. Because of this, the issue can only be
triggered if the victim(s) are accepting DNS responses directly from the
attacker-controlled server. Typically, this would require an active Man-in-
the-Middle attack._

~~~
stephengillie
A way to protect yourself is to manually specify DNS servers - to your own, or
a trusted public one like 4.4.2.2 or 8.8.8.8. It's buried in the network
settings, but DNS servers can be specified even if you're getting your IP from
DHCP.

This attack only works if you're getting DNS info from a malicious/compromised
source. So if you're on a coffee shop WiFi, it creates another layer of
complexity - the attacker would have to rewrite/spoof the DNS packets instead
of simply serving the malformed packets directly.

~~~
Santosh83
Isn't that 4.4.4.4 or does Google also have a public DNS server on 4.4.2.2?

~~~
jwilk
Google Public DNS IPs are 8.8.8.8 and 8.8.4.4.

Source: [https://developers.google.com/speed/public-
dns/](https://developers.google.com/speed/public-dns/)

------
jlgaddis
It's been many, many years since I earned my MCSx certs and, fortunately, I
rarely touch a Windows box these days so I am very likely wrong... but it
seems to me that the following scenario is possible.

A domain controller also acts as a DNS server. "Forwarders" can be configured,
or the DC can "go direct" and perform (recursive) resolution on a client's
behalf. A client that could be convinced (should be relatively easy?) to issue
a certain DNS request (which would be sent to the DC) would cause a malicious
response (assuming a malicious authoritative DNS server) to be sent to the DC.
In the case where the DC is an affected (unpatched) Windows 2012 server, this
would result in a compromise of the DC.

Sounds feasible, in theory. I don't know enough about this issue to say for
certain, though.

------
j_s
How similar is this to the dnsmasq stuff earlier this month?

Behind the Masq: Yet More DNS and DHCP Vulnerabilities |
[https://news.ycombinator.com/item?id=15383574](https://news.ycombinator.com/item?id=15383574)
(Oct 2017, 117 comments)

------
KekDemaga
>The DNS caching service that handles the storage of DNS responses
automatically restarts when it crashes, and it won’t notify the user of the
crash.

Programmer one: "It keeps crashing!"

Programmer two: "Just remove the bit that tells the user it crashed and ship
it!"

~~~
dpark
No one: “Just spam the user with error messages they won’t understand and
can’t fix!”

~~~
KekDemaga
Also no one: "let's fix it so it won't crash constantly"

~~~
dpark
Lots of engineers: “Just make it restart so it self-heals”

