I did some Vulnerability Assessment on the tool Dnsliar.
The goal was to see if it is production ready and well optimized.
I first did some fuzzing and try to stress the server. Using nmap script tool (dns-fuzz), Scapy, pwntools, and some more.
After that, I did some code review trying to find wrong logic. I found out that i could get some IP address leak on blacklisted domain, this is designed in the code by only filtering A and AAAA query type but should be less permissive.
Furthermore about the filtering, even if a request is on a blacklisted domain, It does send the request to the forwarder (domain DNS). The filtering is done after the forwarder, the performance could be improve.
I also found out that the DNSliar had no protection against DNS amplification DoS : rate limiting, no filtering of the query type (ANY, ‘*’), …
I also found many unwrap in the rust code, which is not recommended in production.
There are also other ‘theoretical’ vulnerabilities that i could not test due to time.
As an intern it was fun to participate in this event and have exchange with professional and experienced person. It would be a pleasure to participate next year !