Question about CVE-2019-6477: TCP-pipelined queries can bypass tcp-clients limit

[Cathy Almond]

On 21/11/2019 14:40, Veronique Lefebure wrote:
> Hi,
> 
> I have a question regarding the vulnerability described in the mail below.
> 
> If a client is using TCP-pipelining, and if querylog channel is enabled, what will appear in the query log file for that client ?
> Shall we see one line per DNS query, i.e. N lines if the client has sent N queries in the pipeline, or shall we see only one line ?
> Also, is there a way to know is a client is using pipelining (a part from analysing the traffic) ?
> 
> Thanks,
> Veronique

Hi Veronique,

This is an interesting question.

The querylog channel is logging query responses, one per client query.
So you're not going to be able to determine from query logging whether a
client is using TCP-pipelining or not.

Realistically, you're going to have to analyze the traffic in some way
or another.  The difference with a pipelining client as opposed to
another TCP client that just holds open a TCP socket while it sends
several queries, is that the pipelining client won't wait for a query
response to the last query it sent before sending the next one.  It will
have code in place locally to keep track of pending queries and to
handle out of order query responses.

Just seeing multiple queries from the same client TCP connection doesn't
mean that it is pipelining them.

Someone else on the list might have some other ideas, but that's all
that I can think of at the moment - sorry.

Cathy