You can use dnspython to generate wire format. Generally, I think that writing more specific fuzzers on top of APIs that consumes user input would be more useful than just fuzzing `named`.
F.e. it should be possible to write a fuzzer that takes multiple DNS messages as input (starting with query + all DNS messages needed to resolve the query) would be more useful that just fuzzing “stuff”. Also I think that for more complex stuff it would be better to write a protocol specific input generator than just generic one found in existing fuzzers. Ondřej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 5. 8. 2021, at 18:51, Siva Kakarla <sivakesa...@gmail.com> wrote: > > > Thanks, Ondrej, for the reply. > > Fuzzing responses is the second part, I would say. For now, I am only fuzzing > the authoritative server, so fuzzing named with queries would be a good > starting point. I will check the GitHub repository you pointed out. > > The instructions for running AFL work great, thanks! > > I came across the '-A' option from the report you filed a year ago, but was > under the impression that the "client" would be the default but I just saw > that it is none in the code so, I guess, named has to be passed with "named > -A client:IP:port" to fuzz the authoritative server with queries. I will > check the files you pointed more carefully. > > When the AFL code was first added to Bind 4-5 years ago, what seed input was > given to it? > > I understand that they are raw packets, but how did you get them in the raw > format? I guess the fuzzer would have generated some of them but what were > the starting raw packets? So, there is also no way to convert them from raw > format to readable DNS messages as most of them are invalid but is there a > way for valid ones? > > I will try to be more specific - say I want to seed with a query <foo.com, > A>, how do I get the DNS packet that has this query in the raw format? > (capturing it using Wireshark?) > > Thanks a lot again for taking the time to answer my questions. > >> On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý <ond...@isc.org> wrote: >> If you want to get your hands dirty, I would recommend looking at >> https://github.com/dobin/ffw, but for useful fuzzing, this would also need a >> more complicated client fuzzing support because you don’t only want to fuzz >> the queries, but also responses given by “fake” authoritative servers and >> you want to do that on various levels of DNS tree and for various query >> types. It’s a state machine and by doing fuzzing on single level, you might >> never hit all the states. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> ond...@isc.org >> >> > On 5. 8. 2021, at 18:01, Ondřej Surý <ond...@isc.org> wrote: >> > >> > >> > -- >> > Ondřej Surý (He/Him) >> > ond...@isc.org >> > >> >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesa...@gmail.com> wrote: >> >> >> >> Hello Everyone, >> >> >> >> I am trying to understand and set up a fuzzer for the Bind DNS >> >> implementation. My current goal is to fuzz the authoritative server with >> >> queries. >> >> >> >> I have looked around and came across different fuzzing engines, but I >> >> have some trouble and some questions getting it to work. If anyone has >> >> anything to comment on, please reply, and that would be really helpful. >> >> • I configured with CC=/path/to/afl/afl-clang./configure >> >> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did >> >> make and make install. I then tried fuzzing the named binary with >> >> afl-fuzz -i fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named >> >> -gbut then it stops immediately, sayingthe program crashed with one of >> >> the test cases provided. >> >> • How to fuzz the named binary with queries? >> > >> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more >> > complicated to set it up (you need to pass -A extra option to `named`). >> > >> >> • How to get the seed input in raw format? >> >> • Honggfuzz seems to fuzz the named binary, but it produced >> >> too many files as crash reports within a minute. I have asked about it on >> >> their GitHub. Anyone that worked with Honggfuzz, please reply. >> > >> > I see, you got response from hongfuzz author directly. >> > >> >> • A separate fuzz folder contains functions to fuzz small sections >> >> of the code. >> >> • Was this created to improve coverage and modularity? (In >> >> the sense, can't named be fuzzed directly using the above setup?) >> > >> > Fuzzing a daemon that depends on various internal state (state of the >> > cache, authoritative zones present or not, various configuration options >> > enabled or not) is difficult and also sometimes it’s also useless to fuzz >> > the big blob and you want to fuzz just specific parts (zone parser, DNS >> > message parsers, etc…) >> > >> >> • I could get them running with oss-fuzz but how to run them >> >> with afl-fuzz? The README mentions linking the files; can you please tell >> >> me how to do that? >> > >> > with AFL++ do >> > >> > CC=afl-clang-fast ./configure --enable-fuzzing=afl >> > make -j >> > cd fuzz >> > >> > and then for each test: >> > >> > make dns_message_parse >> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i >> > dns_message_parse.in/ -o xxx ./.libs/dns_message_parse >> > >> >> • How to decode the packets given in >> >> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in? >> >> How to add a new packet to the corpus? (How to convert into a raw >> >> packet?) >> > >> > These are raw DNS messages. There’s bigger corpus f.e. here: >> > https://github.com/CZ-NIC/dns-fuzzing >> > >> >> Thank you >> >> Siva >> >> >> >> -- >> >> Siva Kakarla >> >> (sivak.dev) >> >> _______________________________________________ >> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> >> unsubscribe from this list >> >> >> >> ISC funds the development of this software with paid support >> >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> >> information. >> >> >> >> >> >> bind-users mailing list >> >> bind-users@lists.isc.org >> >> https://lists.isc.org/mailman/listinfo/bind-users >>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
