-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(m)DNS: improve (m)dnsd defaults and behavior #4390
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4390 +/- ##
==========================================
- Coverage 82.20% 81.56% -0.64%
==========================================
Files 352 352
Lines 83665 83953 +288
==========================================
- Hits 68775 68476 -299
- Misses 14890 15477 +587
|
a5737ee
to
cba2c13
Compare
scapy/layers/dns.py
Outdated
Set to False to disable, None to mirror the interface's IP. | ||
Defaults to None, unless 'match' is used, then it defaults to | ||
False. | ||
:param joker6: default IPv6 for unresolved domains (Default: False) | ||
set to False to disable, None to mirror the interface's IPv6. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(It's unrelated to this PR but joker6=None
doesn't seem to be fully compatible with mDNS. It doesn't extract link-local addresses so no replies are sent on machines with no global addresses). According to https://datatracker.ietf.org/doc/html/rfc6762#section-6.2 all the valid addresses should be sent:
When a Multicast DNS responder sends a Multicast DNS response message
containing its own address records, it MUST include all addresses
that are valid on the interface on which it is sending the message,
and MUST NOT include addresses that are not valid on that interface
(such as addresses that may be configured on the host's other
interfaces)
I've tweaked things quite a bit, trying to fix #4385 (comment). I've expanded the docstrings to add some usage examples. The behavior on machines with multiple interfaces is very buggy.. that's because Scapy handles very poorly multicast link-layer addresses. This requires a rework but that's out of scope. In the meantime, this code is usable on a machine with multiple interfaces using conf.route.add(net="224.0.0.0/8", gw="<the gateway>", metric=1) |
It seems I can still reproduce #4385 (comment) when |
I'm personally able to have Check the source MAC though. I still need to In all cases I'm really interested if you have feedback on this one :D |
rrname=rq.qname, | ||
nextname=rq.qname, | ||
typebitmaps=RRlist2bitmap([rq.qtype]), | ||
)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a nice touch! According to https://datatracker.ietf.org/doc/html/rfc6762#section-6.1 it should go to the additional record section
the
responder MAY also include an NSEC record in the Additional Record
Section indicating the nonexistence of other rrtypes for that name
and rrclass
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree but Windows put it in the answers, so I copied that behavior
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. In practice it should work either way. Though I think I saw libraries that can't handle additional SRV and TXT records described in https://datatracker.ietf.org/doc/html/rfc6763#section-12 when they are put in the answer section.
Turns out I screwed it up. I tested it with #4385. With this PR applied |
I've just tested it with the loopback interface using mdnsd(iface='lo', joker='192.168.56.100') and it works too as far as I can see. |
When it's fine by you @evverx, I'll proceed with merging this :) I'm unsure if I've addressed all your comments / remarks. |
I tested it with avahi, mDNSResponder and systemd-resolved and it works so personally I think it should be good to go :-) |
dnsd
/mdnsd
fixes #4388