[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Aug 17 17:32:35 UTC 2021
> On 17 Aug 2021, at 1:17 pm, Lee <ler762 at gmail.com> wrote:
>
> If you have a system that uses systemd-resolved or dnsmasq you can test them at
> https://xdi-attack.net/test.html
>
> For whatever it's worth, I get 'Your resolver is not vulnerable ...'
> for each test if I have
> check-names response fail;
> in my bind named.conf
> But every single 'Special character filtering' test comes back 'was
> not filtered by your resolver' if I remove check-names :(
I am far from convinced that it is the resolvers job to enforce RDATA
syntax restrictions beyond what is required for a valid wire form.
If applications make unwarranted assumptions about the syntax of
DNS replies, that's surely an application bug, rather than an issue
in DNS.
--
Viktor.
More information about the dns-operations
mailing list