Fuzzing Bind

Ed Daniel esdaniel at esdaniel.com
Thu Aug 5 15:09:02 UTC 2021

On 05/08/2021 13:37, Siva Kakarla wrote:
> Hello Everyone,
> I am trying to understand and set up a fuzzer for the Bind DNS
> implementation. My current goal is to fuzz the authoritative server with
> queries. 
> I have looked around and came across different fuzzing engines, but I
> have some trouble and some questions getting it to work. If anyone has
> anything to comment on, please reply, and that would be really helpful.
>  1. I configured with |CC=/path/to/afl/afl-clang./configure
>     --enable-fuzzing=afl| or |afl-clang-fast| to enable fuzzing. Then, I
>     did make and  make install.  I then tried fuzzing the |named| binary
>     with |afl-fuzz -i fuzz/dns_message_parse.in/
>     <http://dns_message_parse.in/> -o findings /usr/local/sbin/named
>     -g|but then it stops immediately, saying|the program crashed with
>     one of the test cases provided|. 
>      1. How to fuzz the |named|binary with queries?
>      2. How to get the seed input in raw format? 
>      3. Honggfuzz 
>         <https://github.com/google/honggfuzz/tree/master/examples/bind>seems
>         to fuzz the named binary, but it produced too many files as
>         crash reports within a minute. I have asked about it on
>         their GitHub <https://github.com/google/honggfuzz/issues/408>.
>         Anyone that worked with Honggfuzz, please reply. 
>  2. A separate fuzz folder
>     <https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz> contains functions
>     to fuzz small sections of the code. 
>      1. Was this created to improve coverage and modularity? (In the
>         sense, can't |named| be fuzzed directly using the above setup?) 
>      2. I could get them running with |oss-fuzz| but how to run them
>         with |afl-fuzz|? The README 
>         <https://gitlab.isc.org/isc-projects/bind9/-/blob/main/fuzz/FUZZING.md>mentions
>         linking the files; can you please tell me how to do that?
>  3. How to decode the packets given
>     in https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in
>     <https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in>?
>     How to add a new packet to the corpus? (How to convert into a raw
>     packet?)

Why not re-purpose a password fuzzer, instead of passwords you'd be
spawning FQDNs, which you could pipe to mdig or other dns client?

More information about the bind-users mailing list