fix security check on id, note security concerns

README.md

@@ -90,3 +90,10 @@ Options
 
 --debug                     verbose output
 ```
+
+Security Concerns
+-----------------
+
+The 16-bit `id` of the query must match that of the response.
+
+Extra entropy is added by using `dns0x20`, the de facto standard for RanDOmCASiNg on the query which must be matched in the response.

bin/dig.js

@@ -189,7 +189,9 @@ cli.main(function (args, cli) {
     var fail0x20;
 
     if (packet.id !== query.id) {
-      console.log('ignoring packet for ', packet.question[0].name);
+      console.error('[SECURITY] ignoring packet for \'' + packet.question[0].name + '\' due to mismatched id');
+      console.error(packet);
+      return;
     }
 
     if (cli.debug) {

dns-request.js

@@ -8,24 +8,24 @@ function logQuestion(packet) {
   var flags = "";
 
   // TODO opcode 0 QUERY rcode 0 NOERROR
-  console.log(';; ->>HEADER<<- [opcode: ' + packet.header.opcode + ', status: ' + packet.header.rcode + '], id: ' + packet.header.id);
+  console.info(';; ->>HEADER<<- [opcode: ' + packet.header.opcode + ', status: ' + packet.header.rcode + '], id: ' + packet.header.id);
-  if (packet.header.tc) { console.log("Truncated [tc] (we don't know the normal way to print a tc packet... you should record this with -o tc-packet.dig and send it to us)"); }
+  if (packet.header.tc) { console.info("Truncated [tc] (we don't know the normal way to print a tc packet... you should record this with -o tc-packet.dig and send it to us)"); }
   flags += ";; flags:";
   if (packet.header.qr) { flags += " qr"; }
   if (packet.header.aa) { flags += " aa"; }
   if (packet.header.rd) { flags += " rd"; }
   if (packet.header.ra) { flags += " ra"; }
   flags += "; QUERY: " + packet.question.length + ", ANSWER: " + packet.answer.length + ", AUTHORITY: " + packet.authority.length + ", ADDITIONAL: " + packet.additional.length;
-  console.log(flags);
+  console.info(flags);
-  if (packet.header.res1) { console.log("[res1] (we don't know how to print a packet with res1 yet)"); }
+  if (packet.header.res1) { console.info("[res1] (we don't know how to print a packet with res1 yet)"); }
-  if (packet.header.res2) { console.log("[res2] (we don't know how to print a packet with res2 yet)"); }
+  if (packet.header.res2) { console.info("[res2] (we don't know how to print a packet with res2 yet)"); }
-  if (packet.header.res3) { console.log("[res3] (we don't know how to print a packet with res2 yet)"); }
+  if (packet.header.res3) { console.info("[res3] (we don't know how to print a packet with res2 yet)"); }
   // {"id":32736,"qr":1,"opcode":0,"aa":0,"tc":0,"rd":1,"ra":0,"res1":0,"res2":0,"res3":0,"rcode":5}
   //console.log(JSON.stringify(packet.header));
-  console.log('');
+  console.info('');
-  console.log(';; QUESTION SECTION:');
+  console.info(';; QUESTION SECTION:');
   packet.question.forEach(function (q) {
-    console.log(';' + q.name + '.', ' ', q.className, q.typeName);
+    console.info(';' + q.name + '.', ' ', q.className, q.typeName);
   });
 }
 
@@ -103,6 +103,7 @@ function resolve(queryAb, opts) {
 
 function resolveJson(query, opts) {
   var queryAb = dnsjs.DNSPacket.write(query);
+  //console.log('[DEV] nameserver', opts.nameserver);
   var options = {
     onError: opts.onError
   , onMessage: function (nb) {