Skip to content

Instantly share code, notes, and snippets.

Avatar

Marek Vavruša vavrusa

View GitHub Profile
View bind11.js
var net = require('net');
var dgram = require('dgram');
function ntohs(arr) {
return ((arr[0] & 0xFF) << 8) | (arr[1] & 0xFF);
}
function parse_name(data, pos)
{
for (base = pos; pos < data.length;) {
View csv-sans-header.csv
3 0.979429111596
4 0.979429111596
5 0.979429111596
6 0.979429111596
7 0.979429111596
8 0.979429111596
9 0.979429111596
10 0.979429111596
11 0.979429111596
12 0.979429111596
@vavrusa
vavrusa / kresolved-minim
Last active Oct 7, 2015
How Knot DNS Resolved minimizes
View kresolved-minim
## How it deals with bad CDNs
The query is `who.ami.here.com. A`
1. It's going to ask at `.` to `com. NS` and get a referral
2. it's going to ask `com.` nameserver about `here.com. NS` and get a referral
... see the pattern, it just appends labels, but bear with me
3. We're asking `here.com` nameserver about `ami.here.com. NS` , but he's a prick and tells us 'NXDOMAIN'.
View gist:3e13267dcc9c4f0ded62
Near-stretch ideas
------------------
* I *quite* like how it's built, but it's too much *PowerDNS*-y, hacking on it is a pain (if you work on cheap virtuals like me) because of long build times and dependencies (I know, but try it yourself on the budget DigitalOcean droplet...), I'd say lose the legacy and make it really a standalone thing.
* The configuration is sometimes confusing, like if I set it up to listen on local interfaces, it happily does so but it silently drops all queries because the ACL allows localhost only (uhm, maybe it needs to say something in verbose mode or documentation update).
* The config format for IPv6 has a poor choice of ':' as a separator, it's not possible to forward to IPv6 address on a custom port.
Far-stretch ideas
-----------------
@vavrusa
vavrusa / slowdrip.lua
Last active Aug 29, 2015
DNS slowdrip
View slowdrip.lua
local slowdrip = {
tracked = {},
blocked = {},
window = 60, -- Length of the tracking window
threshold = 100, -- Number of NXDOMAINs before blocking
-- Track suffixes of names leading to NXDOMAIN
layer = {
finish = function(state, req, answer)
local parent = answer:qname()
parent = parent:sub(parent:find('.',0,true), -1)
@vavrusa
vavrusa / ldhcp-ex1.c
Last active Aug 29, 2015
Lua/C DHCP example #1
View ldhcp-ex1.c
#include <stdio.h>
#include <string.h>
#include <lua.h>
#include <lualib.h>
#include <lauxlib.h>
#include <arpa/inet.h>
/* Get/set opcode */
static int msg_op(lua_State *L)
{
@vavrusa
vavrusa / dhcp.lua
Last active Mar 4, 2021
Lua/C DHCP example#2
View dhcp.lua
-- C definitions
local ffi = require('ffi')
local csym = ffi.C
ffi.cdef[[
/* DHCP header format */
struct __attribute__((packed)) dhcp_msg {
/* Header */
uint8_t op;
uint8_t htype;
uint8_t hlen;
@vavrusa
vavrusa / appender.lua
Created Oct 13, 2015
Small module that appends SOA for NS queries.
View appender.lua
local mod = {}
mod.layer = {
consume = function (state, req, answer)
if state == kres.FAIL then
return state
end
answer = kres.pkt_t(answer)
req = kres.request_t(req)
if answer:qtype() == kres.type.NS then
local qry = req:push(answer:qname(), kres.type.SOA, kres.class.IN)
@vavrusa
vavrusa / cve-2015-7547-mitigation.md
Last active Feb 17, 2016
cve-2015-7547-mitigation
View cve-2015-7547-mitigation.md

Mitigating with local resolver

There are two preconditions for the attack:

  1. One of the queries results in 2k valid answer
  2. One of the queries soft-fails and will be retried

Mitigating (1) with UDP is simple: set maximum UDP buffer size to <2048B [1] That leaves TCP.

@vavrusa
vavrusa / poc-dnsmasq.py
Last active Jan 23, 2021
PoCs for CVE-2015-7547 (different attack vectors)
View poc-dnsmasq.py
#!/usr/bin/python
#
# Copyright 2016 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#