dingo icon indicating copy to clipboard operation
dingo copied to clipboard

Published 20 hours ago verified publisher icon pforemski

CODE FIX -- A better method for secure random padding the DNS payload

Open gripedthumbtacks opened this issue 7 years ago • 2 comments

Currently the padding takes only one random char and duplicates it to pad the DNS request payload. Ideally, each padding char should be randomized and the payload should also fill up to the MAX size of the DNS request size allowed, such that all DNS queries received are the same size MAX. This is to deter statistical analysis of the HTTPS payload for short domains such as foo.com versus really-long-domain-name-here.com. Here is some sample code to fix the current padding issue that can be patched up a little and integrated back to resolve the current problem. You can also see the sample output of the current versus the new solution. The padding is also updated to include the allowed padding chars for the Google DNS over HTTPS API.

package main

import "fmt"
import "math/rand"
import "time"
import "strings"

const padChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~"

func main () {
  /* BAD PADDING */
  fmt.Printf("%s","BAD: ")
  fmt.Printf("%s",strings.Repeat(string(65+rand.Intn(26)), rand.Intn(500)))

  /* BETTER PADDING */
  initRand()
  fmt.Printf("\n\n%s","BETTER: ")
  fmt.Printf("%s\n",getPaddedStr(500))
}

func getPaddedStr(n int) string {
    s := make([]byte, n)
    for i := range s {
        s[i] = padChars[rand.Intn(len(padChars))]
    }
    return string(s)
}

func initRand() {
    rand.Seed(time.Now().UnixNano())
}

$ go run test.go
BAD: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

BETTER: SdS8ZICmhenQ6F1ILVG.Z959tj223~bWK-oo0sqd.K-uy5vwZAeSAeWRuvhgwXIH8-jBqRWmPCrfXpEv-f4K-x538W-yFhrTebczuZ0I2pH5AwM_opFztlek0cFb_~noZKWHeRwMJSUs3D~nIMqS-.yMge3ix610kygd2nSWTm736eGbFkOa5x_PjCNkTn7zqe47s44WgChnnSV6-IyuDJMM1aUYYT3OroObdkD8-chcM2TfPOLdZ61qmpaz_GYmz2FaLmBXCghp06~oNFIfv413LZC2M.BJpcW~HJ0Gp2vbLn5IAJ7GAwctodLXUxH4b12xrC3PCXGUJW3YKlP_VAnONcf3NSTdWTjpNqp1oEemKEUegaRqUWatpoy463mzMx~-oFD2yD28PRt.I-yJv0v8TEnQVc6K32ZY88lwKEgT-2jFMVhLwFt7dLrb-P7VX0kurl0Wx7iUleqpNEx4h71HfMpyslGEyx.8iYMrcigmBk1KJ306

gripedthumbtacks avatar Apr 17 '17 21:04 gripedthumbtacks

tHe whole query String should be eQual size. getPaddedStr(259-len(qname)-len(string(qtype))))

???len???? resolving github.com./TXT len %!s(int=16) 1

resolving github.com./ANY len %!s(int=255) 2

resolving github.com./A len %!s(int=1) 1

Opensourcecommunitydevelopment avatar Jul 31 '17 13:07 Opensourcecommunitydevelopment

@Opensourcecommunitydevelopment good catch

gripedthumbtacks avatar Nov 29 '17 08:11 gripedthumbtacks