[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Aug 17 17:32:35 UTC 2021

> On 17 Aug 2021, at 1:17 pm, Lee <ler762 at gmail.com> wrote:
> If you have a system that uses systemd-resolved or dnsmasq you can test them at
>  https://xdi-attack.net/test.html
> For whatever it's worth, I get 'Your resolver is not vulnerable ...'
> for each test if I have
>  check-names response fail;
> in my bind named.conf
> But every single 'Special character filtering' test comes back 'was
> not filtered by your resolver' if I remove check-names :(

I am far from convinced that it is the resolvers job to enforce RDATA
syntax restrictions beyond what is required for a valid wire form.

If applications make unwarranted assumptions about the syntax of
DNS replies, that's surely an application bug, rather than an issue
in DNS.


More information about the dns-operations mailing list