|
VE4KLM > JNOS 20.03.21 21:47l 54 Lines 1925 Bytes #999 (0) @ WW
BID : A0DAC_VE4KLM
Read: GUEST
Subj: malformed DNS packets, NOS crashing, and a first fix ..
Path: IW8PGT<I3XTY<I0OJJ<N6RME<CX2SA<W0ARP<K5DAT<N2NOV<VE4KLM
Sent: 210320/2039z @:VE4KLM.#WPG.MB.CAN.NOAM [Winnipeg] $:A0DAC_VE4KLM
>From ve4klm%ve4klm.#wpg.mb.can.noam@n2nov.ampr.org Sat Mar 20 16:40:39 2021
Received: from n2nov.ampr.org by n2nov.ampr.org (JNOS2.0m.5F) with SMTP
id AA201951 ; Sat, 20 Mar 2021 16:40:39 EDT
Message-Id: <A0DAC_VE4KLM@ve4klm.bbs>
>From: ve4klm@ve4klm.#wpg.mb.can.noam
X-JNOS-User-Port: Uplink (VE4KLM on port axipv) -> Sending message
Good day,
What I originally thought was DNS attacks, seem to be more a case of
JNOS querying
some DNS server, and getting a malformed response, looks like it
anyways. Thanks to
Jean for the PI time and allowing me access, and Janusz for his gdb
reports and such.
It does happen, sometimes it suggests networking issues or other
factors, I'm not an
expert on what causes malformed responses, outside of malicious activity
... so at the
same time if you see 'malformed dns packet' it doesn't mean the firewall
should come
out right away ? any experts out there to add to this or correct my
train of thought ?
I have a patch (technically very simple, checking qdcount for starters)
that should be a
big help in stopping JNOS from crashing on most malformed DNS packets. I
suspect
the reports I hear from time to time about JNOS crashing all the time,
could very well
be because of this DNS issue. Seems to be more prevalent these days I hear.
You can rsync (if you already do) or you can download specific patch below :
https://www.langelaar.net/jnos2/januszDNSfix.tar
It contains domhdr.c, domain.[ch], most of those have not changed for
eons, so you can
probably work them into any version of JNOS from the past few years or
so. Make sure,
and do a diff just to be on the safe side. I have also improved the
error logging for some
of the DNS packet functions. If you get a malformed packet, logfile will
now say so, and
you should see the IP address of the server in question.
This is the first fix, I'm sure it will get refined over time.
Maiko / VE4KLM
Read previous mail | Read next mail
| |