[Pdns-users] Injection Attacks Reloaded: Validating hostnames?
Christoph
cm at appliedprivacy.net
Sat Aug 14 11:11:05 UTC 2021
Hi,
in the light of a recent Usenix paper "Injection Attacks Reloaded:
Tunnelling Malicious Payloads over DNS" [1],
we tested our dnsdist -> PowerDNS Recursor setup [2]
with the following results:
(quoting from their test page [3])
> Special character filtering
>
> These tests will test if your resolver validates hostnames per RFC952. Other than domain names, which can contain arbitrary characters, hostnames are only allowed to contain the characters [0-9a-z-.]. To reduce the chance the an application which is unaware of this is attacked using a domain name containg an injection payloads, stub resolvers should thereby filtering such names.
> The test domain containing a slash (/) was not filtered by your resolver.
> The test domain containing an at (@) was not filtered by your resolver.
> The test domain containing an XSS payload (<img/src=''/onerror='alert("xss")'>) was not filtered by your resolver.
> The test domain containing an SQLi payload (a'OR''=''--) was not filtered by your resolver.
> The test domain containing an ANSI escape sequence (\027[31\;1\;4mHello\027[0m) was not filtered by your resolver.
We were wondering if there is an easy way in Recursor's configuration to
enable validation of hostnames similar to their python proof of concept
[4]?
If there is no such option: Would you accept a feature request via GH
to implement such an option?
I'm also interested in your opinions on whether such validation might
cause issues in practice.
best regards,
Christoph
[1] https://www.usenix.org/system/files/sec21-jeitner.pdf
[2] https://applied-privacy.net/services/dns/
[3] https://xdi-attack.net/test.html
[4] https://xdi-attack.net/proxy.html
More information about the Pdns-users
mailing list