From 651c027206dd795513836a295fa65dc07deaa71b Mon Sep 17 00:00:00 2001 From: Bert Hubert Date: Fri, 13 Jun 2008 07:33:06 +0000 Subject: [PATCH] lua documentation, plus compilation fixes git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1197 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- pdns/Makefile-recursor | 7 +- pdns/docs/pdns.sgml | 343 ++++++++++++++++++++++++++++++++++++-- pdns/lua-pdns-recursor.cc | 10 +- pdns/pdns_recursor.cc | 4 +- 4 files changed, 341 insertions(+), 23 deletions(-) diff --git a/pdns/Makefile-recursor b/pdns/Makefile-recursor index ce0b7ebe1..c9d086859 100644 --- a/pdns/Makefile-recursor +++ b/pdns/Makefile-recursor @@ -8,6 +8,9 @@ CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) $(PROFILEFLAGS) LINKCC=$(CXX) CC?=gcc +LUA_CPPFLAGS_CONFIG ?= -I/usr/include/lua5.1 +LUA_LIBS_CONFIG ?= -llua5.1 + # static dependencies PDNS_RECURSOR_OBJECTS=syncres.o misc.o unix_utility.o qtype.o logger.o \ @@ -25,8 +28,8 @@ all: message pdns_recursor rec_control -include sysdeps/$(shell uname).inc ifeq ($(LUA), 1) - LUALIBS=-llua5.1 - CXXFLAGS+=-I/usr/include/lua5.1 -DPDNS_ENABLE_LUA + LUALIBS=$(LUA_LIBS_CONFIG) + CXXFLAGS+=$(LUA_CPPFLAGS_CONFIG) -DPDNS_ENABLE_LUA endif diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml index 34dc83f9a..4bd8d604b 100644 --- a/pdns/docs/pdns.sgml +++ b/pdns/docs/pdns.sgml @@ -92,9 +92,80 @@ Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately. - Recursor version 3.1.5 (UNRELEASED) + Recursor version 3.1.7 (UNRELEASED) - UNRELEASED - rc1 available. + UNRELEASED + + + This version contains a small number of fixes, some more important than others: + + + + + + In 3.1.5 and 3.1.6, an authoritative server could continue to renew its authority, even though a domain had been delegated + to other servers in the meantime. + + + In the rare cases where this happened, and the old servers were not shut down, the observed effect is that users were fed outdated data. + + + Bug spotted and analysed by Darren Gamble, fix in c1182 and c1183. + + + + + Thanks to long time PowerDNS contributor Stefan Arentz, for the first time, Mac OS X 10.5 users can compile and run the PowerDNS Recursor! + Patch in c1185. + + + + + Sten Spans spotted that for outgoing TCP/IP queries, the query-local-address setting was not honored. Fixed in c1190. + + + + + Marcus Rueckert of OpenSUSE reported that very recent gcc versions emitted a (correct) warning on an overly complicated line + in syncres.cc, fixed in c1189. + + + + + + + Recursor version 3.1.6 + + Released on the 1st of May 2008. + + + This version fixes two important problems, each on its own important enough to justify a quick upgrade. + + + + + Version 3.1.5 had problems resolving several slightly misconfigured domains, including for a time 'juniper.net'. Nameserver timeouts were not being + processed correctly, leading PowerDNS to not update the internal clock, which in turn meant + that any queries immediately following an error would time out as well. Because of retries, this would usually not be a problem except on very busy servers, + for domains with different nameservers at different levels of the DNS-hierarchy, like 'juniper.net'. + + + This issue was fixed rapidly because of the help of XS4ALL (Eric Veldhuyzen, Kai Storbeck), + Brad Dameron and Kees Monshouwer. Fix in c1178. + + + + + The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still + a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. + A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in c1179. + + + + + Recursor version 3.1.5 + + Released on the 31st of March 2008. Much like 3.1.4, this release does not add a lot of major features. Instead, performance has been improved significantly (estimated at around 20%), and many rare @@ -103,15 +174,46 @@ Previously only one forwarder address was supported. This lack held back a number of migrations to PowerDNS. - Perhaps important, this version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, + We would like to thank Amit Klein of Trusteer for bringing a serious + vulnerability to our attention which would enable a smart attacker to + 'spoof' previous versions of the PowerDNS Recursor into accepting possibly + mallicious data. + + + Details can be found on this Trusteer page. + + + It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 + as soon as practicable, while we simultaneously note that busy servers are + less susceptible to the attack, but not immune. + + + The PowerDNS Security Advisory can be found in . + + + This version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, changes were made to how the Recursor deals internally with A and AAAA queries for nameservers, see below for more details. Additionally, newer releases of the G++ compiler required some fixes (see t173). + + This release was made possible by the help of Wichert Akkerman, Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), + Leo Baltus (Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai, Marcus Goller (UPC), + Matti Hiljanen (Saunalahti/Elisa), Ruben Kerkhoff, + Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt (Freenet.de), + Kai Storbeck (xs4all), + Alex Trull, Andrew Turnbull (No Wires LTD) and Aaron Thompson, and many more who filed bugs anonymously, or who we forgot to mention. + Security related issues: + + + Amit Klein has informed us that System random generator output can be predicted based on its past behaviour, allowing a smart attacker to 'spoof' + our nameserver. Full details in . + + The Recursor will by default no longer query private-space nameservers. This closes a slight security risk and simultaneously @@ -124,11 +226,7 @@ Applied fix for t110 ('PowerDNS should change directory to '/' in chroot), implemented in c944. - - - . - - + @@ -159,7 +257,7 @@ - Empty TXT record components can now be served. Implemented in c1166, closing t178. + Empty TXT record components can now be served. Implemented in c1166, closing t178. Spotted by Matti Hiljanen. @@ -212,7 +310,7 @@ - Recursor would not properly clean up pidfile and control socket, closing t120, code in c988, c1098 (spotted by Leo Baltus) + Recursor would not properly clean up pidfile and control socket, closing t120, code in c988, c1098 (part of fix by Matti Hiljanen, spotted by Leo Baltus) @@ -5685,10 +5783,13 @@ name IN A 1.2.3.4 Security - As of the 11th of November 2006, no actual security problems with PowerDNS 2.9.18, Recursor 3.1.4, or later are known about. This page + As of the 31st of March 2008, no actual security problems with PowerDNS 2.9.18, Recursor 3.1.5, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailinglists. + + Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see . + Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered by remote users. One of the issues might lead be exploited and lead to a system compromise. For more detail, see and @@ -5920,6 +6021,131 @@ name IN A 1.2.3.4 PowerDNS would recurse endlessly on encountering a CNAME loop consisting entirely of zero second CNAME records, eventually exceeding resources and crashing. + + PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor + + + PowerDNS Security Advisory + + + + + CVE + + + Not yet assigned + + + + + Date + + + 31st of March 2008 + + + + + Affects + + + PowerDNS Recursor versions 3.1.4 and earlier, on most operating systems + + + + + Not affected + + + No versions of the PowerDNS Authoritative Server ('pdns_server') are affected. + + + + + Severity + + + Moderate + + + + + Impact + + + Data manipulation; client redirection + + + + + Exploit + + + This problem can be triggered by sending queries for specifically configured domains, sending + spoofed answer packets immediately afterwards. + + + + + Solution + + + Upgrade to PowerDNS Recursor 3.1.5, or apply changesets C1159, C1160 and C1164. + + + + + Workaround + + + None known. Exposure can be limited by configuring the allow-from setting so only trusted users + can query your nameserver. + + + + +
+ + + We would like to thank Amit Klein of Trusteer for bringing a serious + vulnerability to our attention which would enable a smart attacker to + 'spoof' previous versions of the PowerDNS Recursor into accepting possibly + mallicious data. + + + Details can be found on + this Trusteer page. + + + This security problem was announced in this email message. + + + It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 + as soon as practicable, while we simultaneously note that busy servers are + less susceptible to the attack, but not immune. + + + The vulnerability is present on all operating systems where the behaviour + of the libc random() function can be predicted based on its past output. + This includes at least all known versions of Linux, as well as Microsoft + Windows, and probably FreeBSD and Solaris. + + + The magnitude of this vulnerability depends on internal details of the + system random() generator. For Linux, the mathematics of the random + generator are complex, but well understood and Amit Klein has written and + published a proof of concept that can succesfully predict its output after + uninterrupted observation of 40-50 DNS queries. + + + Because the observation needs to be uninterrupted, busy PowerDNS Recursor + instances are harder to subvert - other data is highly likely to be + interleaved with traffic generated by an attacker. + + + Nevertheless, operators are urged to update at their earliest convenience. + + Acknowledgements PowerDNS is grateful for the help of the following people or institutions: @@ -7919,6 +8145,101 @@ Feb 10 14:16:03 stats: 125784 questions, 13971 cache entries, 309 negative entri Finally, 12% of queries were not performed because identical queries had gone out previously, saving load servers worldwide. + Scripting + + As of version 3.1.7 of the PowerDNS Recursor, it is possible to modify resolving behaviour using simple scripts written in the Lua + programming language. + + + + + This functionality is expected to change from version to version as additional scripting needs become apparant! + + + + + These scripts can be used to quickly override dangerous domains, for load balancing or for legal or commercial purposes. + + + As of 3.1.7, queries can be intercepted in two places: before the resolving logic starts to work, plus after the resolving process failed to find + a correct answer for a domain. + + + Configuring Lua scripts + + In order to load scripts, the PowerDNS Recursor must have 'lua' support built in. The packages distributed from the PowerDNS website have this language + enabled, other distributions may differ. + + + If lua support is available, a script can be configured either via the configuration file, or at runtime via the rec_control tool. + Scripts can be reloaded or unloaded at runtime with no interruption in operations. If a new script contains syntax errors, the old script remains in force. + + + On the commandline, or in the configuration file, the setting lua-dns-script can be used to supply a full path to a 'lua' script. + + + At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed + a new filename, load one from a new location. A failure to parse the new script will leave the old script in working order. + + + Finally, rec_control unload-lua-script can be used to remove the currently installed script, and revert to unmodified behaviour. + + + Writing Lua PowerDNS Recursor scripts + + Once a script is loaded, PowerDNS looks for two functions: prequery and nxdomain. Either or both of these + can be absent, in which case the corresponding functionality is disabled. + + + prequery is called before any DNS resolution is attempted, and if this function indicates it, it can supply a direct answer to the + DNS query, overriding the internet. This is useful to combat botnets, or to disable domains unacceptable to an organization for whatever reason. + + + nxdomain is called after the DNS resolution process has run its course, but ended in an 'NXDOMAIN' situation, indicating that the domain + or the specific record does not exist. This can be used for various purposes. + + + Both functions are passed the IP address of the requestor, plus the name and type being requested. In return, these functions indicate if they + have taken over the request, or want to let normal proceedings take their course. + + + If a function has taken over a request, it should return 'true', and specify a table with records to be put in the answer section of a packet. + Returning 'false' and an empty table signifies that the function chose not to intervene. + + + A minimal sample script: + + + +function nxdomain ( ip, domain, qtype ) + print ("nxhandler called for: ", ip, domain, qtype) + + ret={} + if qtype ~= 1 then return false, ret end -- only A records + if not string.match(domain, "^www.") then return false, ret end -- only things that start with www. + if not matchnetmask(ip, "192.168.0.0/16") then return false, ret -- only interfere with local queries + + ret[0]={1, "127.1.2.3", 3600} -- add IN A 127.1.2.3 + ret[1]={1 "127.3.2.1", 3600} -- add IN A 127.3.2.1 + return true, ret -- return true, plus records +end + + + + + + Please do NOT use the above sample script in production! Responsible NXDomain redirection requires more attention to detail. + + + + + In this sample, the numerical identifier of the A record (1) is used. Later versions of PowerDNS may support a model where labels can be described non-numerically. + Additionally, the answer content format is (nearly) identical to the storage in the PowerDNS Authoritative Server database, or as in zone files. + The exception is that, unlike in the datbase, there is no 'prio' field, which means that an MX record with priority 25 pointing to 'smtp.mailserver.com' would be encoded as + '25 smtp.mailserver.com.'. + + + Design and Engineering of the PowerDNS Recursor diff --git a/pdns/lua-pdns-recursor.cc b/pdns/lua-pdns-recursor.cc index 8ccceb299..a6ceef5e8 100644 --- a/pdns/lua-pdns-recursor.cc +++ b/pdns/lua-pdns-recursor.cc @@ -1,14 +1,6 @@ #include "lua-pdns-recursor.hh" -#ifdef PDNS_ENABLE_LUA -#define PDNS_DO_LUA -#endif - -#ifdef LIBDIR -#define PDNS_DO_LUA -#endif - -#if !defined(PDNS_DO_LUA) && !defined(LIBDIR) +#if !defined(PDNS_ENABLE_LUA) && !defined(LIBDIR) // stub implementation diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index f14dfb8e7..1d4bd7824 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1636,8 +1636,10 @@ string doReloadLuaScript(vector::const_iterator begin, vector::c L<(new PowerDNSLua(fname)); + ::arg().set("lua-dns-script")=fname; + } } } catch(exception& e) { -- 2.40.0