Maintained by: NLnet Labs

A record from cache for request that resolved to (some) CNAMEs

W.C.A. Wijngaards
Tue Sep 22 10:22:02 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Mehmed,

On 21/09/15 13:17, Mehmed Kahric via Unbound-users wrote:
> Hi,
> 
> I have a similar issue as reported in Bug 669.
> 
> For some (one for now) CNAMEs we have a empty A record answer from 
> Unbound. Proper answer came from remote DNS as showed in Unbound
> log and tcpdump. Identical issue came from both us Unbound
> instances: - CentOS 6, Unbound 1.5.1 from EPEL, configured as
> recursive caching with forward-zone; - CentOS 7, Unbound 1.4.20
> from base, configured as authoritative, validating, recursive
> caching.
> 
> Log from first Unbound instance (with verbosity level 4) and from
> tcpdump is in attachment, and dig from client (with output) is:

What happens is the query for www.sensoray.com gives a CNAME to
sensoray.com and an A record.  But when queried specifically for the
sensoray.com name the A record does not exist, the A record in the
CNAME answer was a lie!

You can test this yourself, with dig sensoray.com @8.8.8.8 and this
returns no A record. (according to the verbosity 4 logs you give)

The A record is inserted in the same way some cache-poisoning attacks
work.  The cache-poisoning attack mitigations in unbound remove it.
(and unbound logs that it is scrubbed out of the answer).

Best regards,
   Wouter


> 
> --- C:\Users\Moi>dig www.sensoray.com @192.168.10.14
> 
> ; <<>> DiG 9.10.2-P3 <<>> www.sensoray.com @192.168.10.14 ;; global
> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> NOERROR, id: 38559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
> AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;www.sensoray.com.              IN      A
> 
> ;; ANSWER SECTION: www.sensoray.com.       5433    IN      CNAME
> sensoray.com.
> 
> ;; Query time: 218 msec ;; SERVER: 192.168.10.14#53(192.168.10.14) 
> ;; WHEN: Fri Sep 18 11:13:30 Central Europe Daylight Time 2015 ;;
> MSG SIZE  rcvd: 59
> 
> C:\Users\Moi>dig sensoray.com @192.168.10.14
> 
> ; <<>> DiG 9.10.2-P3 <<>> sensoray.com @192.168.10.14 ;; global
> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
> NOERROR, id: 5722 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
> AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;sensoray.com.                  IN      A
> 
> ;; Query time: 31 msec ;; SERVER: 192.168.10.14#53(192.168.10.14) 
> ;; WHEN: Fri Sep 18 11:13:37 Central Europe Daylight Time 2015 ;;
> MSG SIZE  rcvd: 41
> 
> ---
> 
> 
> Regards, Mehmed
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWAQ+qAAoJEJ9vHC1+BF+NBaoQAKCxfaHOoV1n59p7ujexXbom
Ai/89fCcumvoWG7x1SpEnkKOD/3bSYh4/gYQsXb+f5Cwpf+L8mXWUeVtuWg03GWl
8MCcbRfhTFLrKS2Uaa3agLRSNkXo/hKDkixlsnf67rnAGPNonJ/FSg0VF0Q7bC5s
IGpdCYmyF4L/W2xlkW+0gh5WWD05cCFXNu4l7/Gg7esxdmY72H9otqtJQNODU9t7
t/9xwIMOeDMKIdkHsXfKru73rGCuq1+VSAyzaPrjV9dv3S/9eg22QgF5CbVxUl++
rUxm/KCY8UqTJbSXB5hv7qB0d2viJuX2UJgkNKuSzWmaCq9aMy9zyOJ3OXTtduz8
G925GS7UrLpBMTEotPeDYn7d2cJCwdaMUNnRkfjqIGdvz6Aw5WbmnlwQLimiBRoJ
U8pDw2zzRn/u5j6YFrocVjgn0DUjeod9UA0tnTdLtuocE7HM65UY+AwNnwonxg7u
Xj1XQlIvhSw9JMHB8uVYDJGKZDkqDIoyEkifR47DK6/Xo/D3s17PPlHFBfOcskd0
kbb00MoR4wvUXlHZm5S4/5l9l5+ZbMDBJc6910/+53tn8M+gH/i6vWMTyCjT6gko
5cUKaHGN5wsm5VsUb396rGkLnyQUw0z0T5S016bAgPsoK9Yx0djhoVU9cezVEE4v
OvmFyxkjassU5o0ZJnll
=elOW
-----END PGP SIGNATURE-----