Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space. In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.

翻译：摘要：域名系统（DNS）是互联网的关键基础设施组件。DNS解析器作为DNS客户端与DNS域名服务器之间的缓存层，是DNS体系结构的核心，对保障DNS的可扩展性至关重要。然而，发现解析器漏洞并非易事，现有工具尚未能有效解决该问题。究其原因：首先，已知的解析器漏洞多为非崩溃型缺陷，无法通过现有断言（或消毒器）直接检测；其次，缺乏可作为判定测试用例是否为解析器漏洞依据的严格规范；再次，DNS解析器具有状态依赖性，而状态模糊测试因输入空间庞大仍具挑战性。本文提出名为ResolverFuzz的新型模糊测试系统，通过开发一系列新技术应对上述挑战。首先，ResolverFuzz通过聚焦短查询-响应序列执行受限状态模糊测试——基于我们对已公开DNS漏洞数据库的研究，该方法已被证明是发现解析器漏洞最有效的方式。其次，为生成更可能触发解析器漏洞的测试用例，我们结合基于概率上下文无关文法的输入生成技术与查询和响应的字节级变异。第三，利用差异测试与聚类方法识别缓存投毒等非崩溃型缺陷。我们在4种解析器模式下对6款主流DNS软件进行了ResolverFuzz评估，共发现23个漏洞，可导致缓存投毒、资源消耗及崩溃攻击。经负责任的披露后，其中19个漏洞已被确认或修复，并分配了15个CVE编号。