Re: DNS fuzzer

[David Fifield <david () bamsoftware com>]

On Sun, Mar 21, 2010 at 07:28:14PM -0400, Michael Pattrick wrote:
> I've been playing with Bind10 lately, I wanted to incorporate fuzz
> testing in the mix but could only find one DNS fuzzer[0]. It didn't
> really suit my needs and was closed source so I wrote my own. Attached
> is my fuzzer.
>
> It's a very naive fuzzer and hasn't found any flaws yet, so I'd
> appreciate feedback on it or suggestions on how such a fuzzer could be
> improved.

Your script needs some more documentation. I can't tell what it does
from just looking at it. In your "description" field, explain at a high
level what the script is doing and how many packets it's sending.

What do the makeHost and nudgePacket functions do? They seem to be the
heart of the fuzzer and so they need documentation.

I understand that since you may be making broken packets, you can't use
the dns library for everything, but if you find a place where you can
make use of it then you should.

A good fuzzing technique would be abuse of the DNS "compression"
facility discussed in section 4.1.4 for RFC 1035. Try making compression
pointers that point into the packet header, at themselves, past the end
of the packet, anything you can think of.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/