[Pdns-users] Injection Attacks Reloaded: Validating hostnames?

Remi Gacogne remi.gacogne at powerdns.com
Mon Aug 16 08:31:26 UTC 2021 

Hi Christoph,

On 8/14/21 1:11 PM, Christoph via Pdns-users wrote:
> We were wondering if there is an easy way in Recursor's configuration to 
> enable validation of hostnames similar to their python proof of concept 
> [4]?

We don't have such an option at the moment, although it would not be too 
hard to implement via our Lua hooks.

 > If there is no such option: Would you accept a feature request via GH
 > to implement such an option?

I would personally not implement such a filter in a recursor, though, as 
the authors themselves acknowledge it would be challenging not to block 
legitimate records:
"Nevertheless, performing checks on DNS records is challenging: some 
applications, like SRV service discovery [38], require domain names with 
characters that are not allowed in hostnames (e.g., underscore). 
Defining a list of allowed characters so that legitimate applications 
would still work but injection attacks would be blocked should be 
further investigated and is not straightforward. In particular, it is 
difficult to foresee what characters and formats will be needed by 
future applications, hence a ‘too-restrictive’ list of allowed 
characters would make DNS less transparent, possibly introducing 
obstacles in deployment of new applications, or when adding new versions
or new features to existing applications."

I would be willing to accept a new rule in dnsdist, though, validating 
whether owner names and targets are valid hostnames, if there is any 
interest.

> I'm also interested in your opinions on whether such validation might 
> cause issues in practice.

My understanding is that restricting owner names and targets in queries 
and responses to valid hostnames, in a resolver, would lead to issues 
quite quickly, at the very least with SRV and SVCB records. I'm not 
really convinced it can be implemented at the stub resolver level either 
without breaking some applications.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

More information about the Pdns-users mailing list