[nos-bbs] malformed DNS packets, NOS crashing, and a first fix ...
M Langelaar
maiko at pcsinternet.ca
Sat Mar 20 16:33:56 EDT 2021
Good day,
What I originally thought was DNS attacks, seem to be more a case of
JNOS querying
some DNS server, and getting a malformed response, looks like it
anyways. Thanks to
Jean for the PI time and allowing me access, and Janusz for his gdb
reports and such.
It does happen, sometimes it suggests networking issues or other
factors, I'm not an
expert on what causes malformed responses, outside of malicious activity
... so at the
same time if you see 'malformed dns packet' it doesn't mean the firewall
should come
out right away ? any experts out there to add to this or correct my
train of thought ?
I have a patch (technically very simple, checking qdcount for starters)
that should be a
big help in stopping JNOS from crashing on most malformed DNS packets. I
suspect
the reports I hear from time to time about JNOS crashing all the time,
could very well
be because of this DNS issue. Seems to be more prevalent these days I hear.
You can rsync (if you already do) or you can download specific patch below :
https://www.langelaar.net/jnos2/januszDNSfix.tar
It contains domhdr.c, domain.[ch], most of those have not changed for
eons, so you can
probably work them into any version of JNOS from the past few years or
so. Make sure,
and do a diff just to be on the safe side. I have also improved the
error logging for some
of the DNS packet functions. If you get a malformed packet, logfile will
now say so, and
you should see the IP address of the server in question.
This is the first fix, I'm sure it will get refined over time.
Maiko / VE4KLM
More information about the nos-bbs
mailing list