Fuzzing Bind
Ed Daniel
esdaniel at esdaniel.com
Thu Aug 5 15:09:02 UTC 2021
On 05/08/2021 13:37, Siva Kakarla wrote:
> Hello Everyone,
>
> I am trying to understand and set up a fuzzer for the Bind DNS
> implementation. My current goal is to fuzz the authoritative server with
> queries.
>
> I have looked around and came across different fuzzing engines, but I
> have some trouble and some questions getting it to work. If anyone has
> anything to comment on, please reply, and that would be really helpful.
>
> 1. I configured with |CC=/path/to/afl/afl-clang./configure
> --enable-fuzzing=afl| or |afl-clang-fast| to enable fuzzing. Then, I
> did make and make install. I then tried fuzzing the |named| binary
> with |afl-fuzz -i fuzz/dns_message_parse.in/
> <http://dns_message_parse.in/> -o findings /usr/local/sbin/named
> -g|but then it stops immediately, saying|the program crashed with
> one of the test cases provided|.
> 1. How to fuzz the |named|binary with queries?
> 2. How to get the seed input in raw format?
> 3. Honggfuzz
> <https://github.com/google/honggfuzz/tree/master/examples/bind>seems
> to fuzz the named binary, but it produced too many files as
> crash reports within a minute. I have asked about it on
> their GitHub <https://github.com/google/honggfuzz/issues/408>.
> Anyone that worked with Honggfuzz, please reply.
> 2. A separate fuzz folder
> <https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz> contains functions
> to fuzz small sections of the code.
> 1. Was this created to improve coverage and modularity? (In the
> sense, can't |named| be fuzzed directly using the above setup?)
> 2. I could get them running with |oss-fuzz| but how to run them
> with |afl-fuzz|? The README
> <https://gitlab.isc.org/isc-projects/bind9/-/blob/main/fuzz/FUZZING.md>mentions
> linking the files; can you please tell me how to do that?
> 3. How to decode the packets given
> in https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in
> <https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in>?
> How to add a new packet to the corpus? (How to convert into a raw
> packet?)
Why not re-purpose a password fuzzer, instead of passwords you'd be
spawning FQDNs, which you could pipe to mdig or other dns client?
More information about the bind-users
mailing list