[Pdns-users] potential side effects of ALIAS records

[Pieter Lexis]

Hi Klaus,

On Thu, 9 Feb 2017 22:12:07 +0100
Klaus Darilion <klaus.mailinglists at pernau.at> wrote:

> On 08.02.2017 18:53, Pieter Lexis wrote:
> >> - If ALIAS is not enabled, will PDNS just ignore these records?  
> > ALIAS is always "enabled". When we encounter an ALIAS record for the name queried, it is expanded.  
> 
> So, there is no means to disable ALIAS? Then this is IMO a bug. We use
> PowerDNS to slave zones from our customers. When now one of these
> customers put in an ALIAS, the customer can inject DNS queries in our
> resolvers. E.g. if there is a day zero in a common resolver software -
> the untrusted customer could trigger that the resolver resolves a
> malicious domain and exploit the day zero.
> 
> This sounds very dangerous to me. Suddenly my resolvers, which were only
> accessible from within my network, can be used by everybody (at least by
> all my customers). This is a massive impact should be noted in more
> details in the changelog, Because up to now I only had to deal with
> authoritative name server security - but this feature forces me to setup
> a dedicated resolver for this untrusted resolving-request.
> 
> Please add a feature to "disable-alias-expanding" and make it default
> YES if you care about security.

Your comment makes sense, not only from the resolver perspective, but also from the "I don't want my slaves doing any dynamic things"-perspective.
Could you file an issue[1] for this so we can track this?

Thank you for clarifying,

Pieter

1 - https://github.com/PowerDNS/pdns/issues/new

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com