A record from cache for request that resolved to (some) CNAMEs

Mehmed Kahric mehmed.kahric at vlatacom.com
Wed Sep 23 09:44:07 UTC 2015 

Hi to all,

FYI, Red Hat Enterprise Linux 6 and 7, and derivatives (I checked CentOS,
Oracle (Enterprise) Linux, and Scientific Linux), as well as EPEL for el5
and el6 (epel7 does not have unbound package yet) have wrong (mistyped)
private-address for a link-local range (192.254.0.0/16 instead of
169.254.0.0/16) in unbound.conf.
I reported this bug on bugzilla.redhat.com.
Please double-check the config, do not make the mistake I did.

Regards, Mehmed


On Tue, September 22, 2015 10:22, W.C.A. Wijngaards via Unbound-users wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Mehmed,
>
> On 21/09/15 13:17, Mehmed Kahric via Unbound-users wrote:
>> Hi,
>>
>> I have a similar issue as reported in Bug 669.
>>
>> For some (one for now) CNAMEs we have a empty A record answer from
>> Unbound. Proper answer came from remote DNS as showed in Unbound
>> log and tcpdump. Identical issue came from both us Unbound
>> instances: - CentOS 6, Unbound 1.5.1 from EPEL, configured as
>> recursive caching with forward-zone; - CentOS 7, Unbound 1.4.20
>> from base, configured as authoritative, validating, recursive
>> caching.
>>
>> Log from first Unbound instance (with verbosity level 4) and from
>> tcpdump is in attachment, and dig from client (with output) is:
>
> What happens is the query for www.sensoray.com gives a CNAME to
> sensoray.com and an A record.  But when queried specifically for the
> sensoray.com name the A record does not exist, the A record in the
> CNAME answer was a lie!
>
> You can test this yourself, with dig sensoray.com @8.8.8.8 and this
> returns no A record. (according to the verbosity 4 logs you give)
>
> The A record is inserted in the same way some cache-poisoning attacks
> work.  The cache-poisoning attack mitigations in unbound remove it.
> (and unbound logs that it is scrubbed out of the answer).
>
> Best regards,
>    Wouter
>
>
>>
>> --- C:\Users\Moi>dig www.sensoray.com @192.168.10.14
>>
>> ; <<>> DiG 9.10.2-P3 <<>> www.sensoray.com @192.168.10.14 ;; global
>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
>> NOERROR, id: 38559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
>> AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
>> QUESTION SECTION: ;www.sensoray.com.              IN      A
>>
>> ;; ANSWER SECTION: www.sensoray.com.       5433    IN      CNAME
>> sensoray.com.
>>
>> ;; Query time: 218 msec ;; SERVER: 192.168.10.14#53(192.168.10.14)
>> ;; WHEN: Fri Sep 18 11:13:30 Central Europe Daylight Time 2015 ;;
>> MSG SIZE  rcvd: 59
>>
>> C:\Users\Moi>dig sensoray.com @192.168.10.14
>>
>> ; <<>> DiG 9.10.2-P3 <<>> sensoray.com @192.168.10.14 ;; global
>> options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
>> NOERROR, id: 5722 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
>> AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
>> QUESTION SECTION: ;sensoray.com.                  IN      A
>>
>> ;; Query time: 31 msec ;; SERVER: 192.168.10.14#53(192.168.10.14)
>> ;; WHEN: Fri Sep 18 11:13:37 Central Europe Daylight Time 2015 ;;
>> MSG SIZE  rcvd: 41
>>
>> ---
>>
>>
>> Regards, Mehmed
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWAQ+qAAoJEJ9vHC1+BF+NBaoQAKCxfaHOoV1n59p7ujexXbom
> Ai/89fCcumvoWG7x1SpEnkKOD/3bSYh4/gYQsXb+f5Cwpf+L8mXWUeVtuWg03GWl
> 8MCcbRfhTFLrKS2Uaa3agLRSNkXo/hKDkixlsnf67rnAGPNonJ/FSg0VF0Q7bC5s
> IGpdCYmyF4L/W2xlkW+0gh5WWD05cCFXNu4l7/Gg7esxdmY72H9otqtJQNODU9t7
> t/9xwIMOeDMKIdkHsXfKru73rGCuq1+VSAyzaPrjV9dv3S/9eg22QgF5CbVxUl++
> rUxm/KCY8UqTJbSXB5hv7qB0d2viJuX2UJgkNKuSzWmaCq9aMy9zyOJ3OXTtduz8
> G925GS7UrLpBMTEotPeDYn7d2cJCwdaMUNnRkfjqIGdvz6Aw5WbmnlwQLimiBRoJ
> U8pDw2zzRn/u5j6YFrocVjgn0DUjeod9UA0tnTdLtuocE7HM65UY+AwNnwonxg7u
> Xj1XQlIvhSw9JMHB8uVYDJGKZDkqDIoyEkifR47DK6/Xo/D3s17PPlHFBfOcskd0
> kbb00MoR4wvUXlHZm5S4/5l9l5+ZbMDBJc6910/+53tn8M+gH/i6vWMTyCjT6gko
> 5cUKaHGN5wsm5VsUb396rGkLnyQUw0z0T5S016bAgPsoK9Yx0djhoVU9cezVEE4v
> OvmFyxkjassU5o0ZJnll
> =elOW
> -----END PGP SIGNATURE-----
>

More information about the Unbound-users mailing list