[Pdns-users] Injection Attacks Reloaded: Validating hostnames?
cm at appliedprivacy.net
Sat Aug 14 11:11:05 UTC 2021
in the light of a recent Usenix paper "Injection Attacks Reloaded:
Tunnelling Malicious Payloads over DNS" ,
we tested our dnsdist -> PowerDNS Recursor setup 
with the following results:
(quoting from their test page )
> Special character filtering
> These tests will test if your resolver validates hostnames per RFC952. Other than domain names, which can contain arbitrary characters, hostnames are only allowed to contain the characters [0-9a-z-.]. To reduce the chance the an application which is unaware of this is attacked using a domain name containg an injection payloads, stub resolvers should thereby filtering such names.
> The test domain containing a slash (/) was not filtered by your resolver.
> The test domain containing an at (@) was not filtered by your resolver.
> The test domain containing an XSS payload (<img/src=''/onerror='alert("xss")'>) was not filtered by your resolver.
> The test domain containing an SQLi payload (a'OR''=''--) was not filtered by your resolver.
> The test domain containing an ANSI escape sequence (\027[31\;1\;4mHello\027[0m) was not filtered by your resolver.
We were wondering if there is an easy way in Recursor's configuration to
enable validation of hostnames similar to their python proof of concept
If there is no such option: Would you accept a feature request via GH
to implement such an option?
I'm also interested in your opinions on whether such validation might
cause issues in practice.
More information about the Pdns-users