Validate incoming DNS response messages to avoid cache poisoning attacks

clue · clue · commit 99d42cd6246b · 2018-06-22T19:11:11.000+02:00
diff --git a/src/Model/Message.php b/src/Model/Message.php
@@ -3,7 +3,6 @@
 namespace React\Dns\Model;
 
 use React\Dns\Query\Query;
-use React\Dns\Model\Record;
 
 class Message
 {
@@ -73,8 +72,29 @@ public static function createResponseWithAnswersForQuery(Query $query, array $an
         return $response;
     }
 
+    /**
+     * generates a random 16 bit message ID
+     *
+     * This uses a CSPRNG so that an outside attacker that is sending spoofed
+     * DNS response messages can not guess the message ID to avoid possible
+     * cache poisoning attacks.
+     *
+     * The `random_int()` function is only available on PHP 7+ or when
+     * https://github.com/paragonie/random_compat is installed. As such, using
+     * the latest supported PHP version is highly recommended. This currently
+     * falls back to a less secure random number generator on older PHP versions
+     * in the hope that this system is properly protected against outside
+     * attackers, for example by using one of the common local DNS proxy stubs.
+     *
+     * @return int
+     * @see self::getId()
+     * @codeCoverageIgnore
+     */
     private static function generateId()
     {
+        if (function_exists('random_int')) {
+            return random_int(0, 0xffff);
+        }
         return mt_rand(0, 0xffff);
     }
 
@@ -99,6 +119,22 @@ public function __construct()
         $this->header = new HeaderBag();
     }
 
+    /**
+     * Returns the 16 bit message ID
+     *
+     * The response message ID has to match the request message ID. This allows
+     * the receiver to verify this is the correct response message. An outside
+     * attacker may try to inject fake responses by "guessing" the message ID,
+     * so this should use a proper CSPRNG to avoid possible cache poisoning.
+     *
+     * @return int
+     * @see self::generateId()
+     */
+    public function getId()
+    {
+        return $this->header->get('id');
+    }
+
     public function prepare()
     {
         $this->header->populateCounts($this);
diff --git a/src/Query/DatagramTransportExecutor.php b/src/Query/DatagramTransportExecutor.php
@@ -125,23 +125,29 @@ public function query($nameserver, Query $query)
         });
 
         $parser = $this->parser;
-        $loop->addReadStream($socket, function ($socket) use ($loop, $deferred, $query, $parser) {
+        $loop->addReadStream($socket, function ($socket) use ($loop, $deferred, $query, $parser, $request) {
             // try to read a single data packet from the DNS server
             // ignoring any errors, this is uses UDP packets and not a stream of data
             $data = @\fread($socket, 512);
 
-            // we only react to the first message, so immediately remove socket from loop and close
-            $loop->removeReadStream($socket);
-            \fclose($socket);
-
             try {
                 $response = $parser->parseMessage($data);
             } catch (\Exception $e) {
-                // reject if we received an invalid message from remote server
-                $deferred->reject($e);
+                // ignore and await next if we received an invalid message from remote server
+                // this may as well be a fake response from an attacker (possible DOS)
                 return;
             }
 
+            // ignore and await next if we received an unexpected response ID
+            // this may as well be a fake response from an attacker (possible cache poisoning)
+            if ($response->getId() !== $request->getId()) {
+                return;
+            }
+
+            // we only react to the first valid message, so remove socket from loop and close
+            $loop->removeReadStream($socket);
+            \fclose($socket);
+
             if ($response->header->isTruncated()) {
                 $deferred->reject(new \RuntimeException('DNS query for ' . $query->name . ' failed: The server returned a truncated result for a UDP query, but retrying via TCP is currently not supported'));
                 return;
diff --git a/tests/Query/DatagramTransportExecutorTest.php b/tests/Query/DatagramTransportExecutorTest.php
@@ -7,6 +7,8 @@
 use React\Dns\Query\Query;
 use React\Dns\Model\Message;
 use React\EventLoop\Factory;
+use React\Dns\Protocol\Parser;
+use React\Dns\Protocol\BinaryDumper;
 
 class DatagramTransportExecutorTest extends TestCase
 {
@@ -60,7 +62,7 @@ public function testQueryRejectsOnCancellation()
         $promise->then(null, $this->expectCallableOnce());
     }
 
-    public function testQueryRejectsIfServerRejectsNetworkPacket()
+    public function testQueryKeepsPendingIfServerRejectsNetworkPacket()
     {
         $loop = Factory::create();
 
@@ -77,19 +79,11 @@ function ($e) use (&$wait) {
             }
         );
 
-        // run loop for short period to ensure we detect connection ICMP rejection error
-        \Clue\React\Block\sleep(0.01, $loop);
-        if ($wait) {
-            \Clue\React\Block\sleep(0.2, $loop);
-            if ($wait) {
-                $this->markTestSkipped('Did not receive an error (your OS may drop UDP packets to unbound port?)');
-            }
-        }
-
-        $this->assertFalse($wait);
+        \Clue\React\Block\sleep(0.2, $loop);
+        $this->assertTrue($wait);
     }
 
-    public function testQueryRejectsIfServerSendInvalidMessage()
+    public function testQueryKeepsPendingIfServerSendInvalidMessage()
     {
         $loop = Factory::create();
 
@@ -113,33 +107,64 @@ function ($e) use (&$wait) {
             }
         );
 
-        // run loop for short period to ensure we detect connection ICMP rejection error
-        \Clue\React\Block\sleep(0.01, $loop);
-        if ($wait) {
-            \Clue\React\Block\sleep(0.2, $loop);
-        }
+        \Clue\React\Block\sleep(0.2, $loop);
+        $this->assertTrue($wait);
+    }
 
-        $this->assertFalse($wait);
+    public function testQueryKeepsPendingIfServerSendInvalidId()
+    {
+        $parser = new Parser();
+        $dumper = new BinaryDumper();
+
+        $loop = Factory::create();
+
+        $server = stream_socket_server('udp://127.0.0.1:0', $errno, $errstr, STREAM_SERVER_BIND);
+        $loop->addReadStream($server, function ($server) use ($parser, $dumper) {
+            $data = stream_socket_recvfrom($server, 512, 0, $peer);
+
+            $message = $parser->parseMessage($data);
+            $message->header->set('id', 0);
+
+            stream_socket_sendto($server, $dumper->toBinary($message), 0, $peer);
+        });
+
+        $address = stream_socket_get_name($server, false);
+        $executor = new DatagramTransportExecutor($loop, $parser, $dumper);
+
+        $query = new Query('google.com', Message::TYPE_A, Message::CLASS_IN);
+
+        $wait = true;
+        $promise = $executor->query($address, $query)->then(
+            null,
+            function ($e) use (&$wait) {
+                $wait = false;
+                throw $e;
+            }
+        );
+
+        \Clue\React\Block\sleep(0.2, $loop);
+        $this->assertTrue($wait);
     }
 
     public function testQueryRejectsIfServerSendsTruncatedResponse()
     {
-        $response = new Message();
-        $response->header->set('tc', 1);
-
-        $parser = $this->getMockBuilder('React\Dns\Protocol\Parser')->getMock();
-        $parser->expects($this->once())->method('parseMessage')->with('data')->willReturn($response);
+        $parser = new Parser();
+        $dumper = new BinaryDumper();
 
         $loop = Factory::create();
 
         $server = stream_socket_server('udp://127.0.0.1:0', $errno, $errstr, STREAM_SERVER_BIND);
-        $loop->addReadStream($server, function ($server) {
+        $loop->addReadStream($server, function ($server) use ($parser, $dumper) {
             $data = stream_socket_recvfrom($server, 512, 0, $peer);
-            stream_socket_sendto($server, 'data', 0, $peer);
+
+            $message = $parser->parseMessage($data);
+            $message->header->set('tc', 1);
+
+            stream_socket_sendto($server, $dumper->toBinary($message), 0, $peer);
         });
 
         $address = stream_socket_get_name($server, false);
-        $executor = new DatagramTransportExecutor($loop, $parser);
+        $executor = new DatagramTransportExecutor($loop, $parser, $dumper);
 
         $query = new Query('google.com', Message::TYPE_A, Message::CLASS_IN);
 
@@ -163,21 +188,22 @@ function ($e) use (&$wait) {
 
     public function testQueryResolvesIfServerSendsValidResponse()
     {
-        $response = new Message();
-
-        $parser = $this->getMockBuilder('React\Dns\Protocol\Parser')->getMock();
-        $parser->expects($this->once())->method('parseMessage')->with('data')->willReturn($response);
+        $parser = new Parser();
+        $dumper = new BinaryDumper();
 
         $loop = Factory::create();
 
         $server = stream_socket_server('udp://127.0.0.1:0', $errno, $errstr, STREAM_SERVER_BIND);
-        $loop->addReadStream($server, function ($server) {
+        $loop->addReadStream($server, function ($server) use ($parser, $dumper) {
             $data = stream_socket_recvfrom($server, 512, 0, $peer);
-            stream_socket_sendto($server, 'data', 0, $peer);
+
+            $message = $parser->parseMessage($data);
+
+            stream_socket_sendto($server, $dumper->toBinary($message), 0, $peer);
         });
 
         $address = stream_socket_get_name($server, false);
-        $executor = new DatagramTransportExecutor($loop, $parser);
+        $executor = new DatagramTransportExecutor($loop, $parser, $dumper);
 
         $query = new Query('google.com', Message::TYPE_A, Message::CLASS_IN);
 
