[Pdns-users] potential side effects of ALIAS records

Klaus Darilion klaus.mailinglists at pernau.at
Thu Feb 9 21:12:07 UTC 2017

Hi Peter!

Thanks for the answers.

On 08.02.2017 18:53, Pieter Lexis wrote:
>> - If ALIAS is not enabled, will PDNS just ignore these records?
> ALIAS is always "enabled". When we encounter an ALIAS record for the name queried, it is expanded.

So, there is no means to disable ALIAS? Then this is IMO a bug. We use
PowerDNS to slave zones from our customers. When now one of these
customers put in an ALIAS, the customer can inject DNS queries in our
resolvers. E.g. if there is a day zero in a common resolver software -
the untrusted customer could trigger that the resolver resolves a
malicious domain and exploit the day zero.

This sounds very dangerous to me. Suddenly my resolvers, which were only
accessible from within my network, can be used by everybody (at least by
all my customers). This is a massive impact should be noted in more
details in the changelog, Because up to now I only had to deal with
authoritative name server security - but this feature forces me to setup
a dedicated resolver for this untrusted resolving-request.

Please add a feature to "disable-alias-expanding" and make it default
YES if you care about security.

>> Any other things I need to know? I am a bit concerned doing potential
>> time consuming activities on my name servers.
> What do you mean by this?

Things like above.


More information about the Pdns-users mailing list