[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Tony Finch dot at dotat.at
Tue Aug 17 20:17:24 UTC 2021


Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> If applications make unwarranted assumptions about the syntax of
> DNS replies, that's surely an application bug, rather than an issue
> in DNS.

I particularly liked this paper because it's a really good example of a
common cause of security problems: when it isn't clear whose
responsibility it is to enforce an important restriction, in this case,
hostname syntax vs. DNS name (lack of) syntax. And different implementers
have made different choices, for instance whether the libc stub resolver
enforces hostname syntax or not.

And another classic vulnerability generator: standard APIs that make it
easy for non-specialists to step on every rake in the grass. In this case,
if an application needs something more fancy than getaddrinfo(), it has to
contend with the low-level resolver API which is just about better than
nothing for parsing DNS packets, but certainly won't help you handle names
that ought to have restricted syntax (service names, mail domains, etc...)

So I don't think the problems can be dismissed as simply application bugs:
the problems come from mismatches in expectations at the boundary between
the DNS and the applications. And the DNS is notorious (the subject of
memes!) for being far too difficult to use correctly.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Selsey Bill to Lyme Regis: West or northwest 3 to 5. Smooth or slight,
occasionally moderate in east. Showers later. Mainly good.




More information about the dns-operations mailing list