[Pdns-users] Injection Attacks Reloaded: Validating hostnames?
remi.gacogne at powerdns.com
Mon Aug 16 08:31:26 UTC 2021
On 8/14/21 1:11 PM, Christoph via Pdns-users wrote:
> We were wondering if there is an easy way in Recursor's configuration to
> enable validation of hostnames similar to their python proof of concept
We don't have such an option at the moment, although it would not be too
hard to implement via our Lua hooks.
> If there is no such option: Would you accept a feature request via GH
> to implement such an option?
I would personally not implement such a filter in a recursor, though, as
the authors themselves acknowledge it would be challenging not to block
"Nevertheless, performing checks on DNS records is challenging: some
applications, like SRV service discovery , require domain names with
characters that are not allowed in hostnames (e.g., underscore).
Defining a list of allowed characters so that legitimate applications
would still work but injection attacks would be blocked should be
further investigated and is not straightforward. In particular, it is
difficult to foresee what characters and formats will be needed by
future applications, hence a ‘too-restrictive’ list of allowed
characters would make DNS less transparent, possibly introducing
obstacles in deployment of new applications, or when adding new versions
or new features to existing applications."
I would be willing to accept a new rule in dnsdist, though, validating
whether owner names and targets are valid hostnames, if there is any
> I'm also interested in your opinions on whether such validation might
> cause issues in practice.
My understanding is that restricting owner names and targets in queries
and responses to valid hostnames, in a resolver, would lead to issues
quite quickly, at the very least with SRV and SVCB records. I'm not
really convinced it can be implemented at the stub resolver level either
without breaking some applications.
PowerDNS.COM BV - https://www.powerdns.com/
More information about the Pdns-users