[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Aug 17 20:42:59 UTC 2021
> On 17 Aug 2021, at 4:17 pm, Tony Finch <dot at dotat.at> wrote:
>
> So I don't think the problems can be dismissed as simply application bugs:
> the problems come from mismatches in expectations at the boundary between
> the DNS and the applications. And the DNS is notorious (the subject of
> memes!) for being far too difficult to use correctly.
I remain unconvinced. The DNS-library's job is to accurately return
the DNS query payload to the application. If the application further
expects some particular syntax, then it needs to check for that, e.g.:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/valid_hostname.c#L28-L34
valid_hostname() scrutinizes a hostname: the name should
be no longer than VALID_HOSTNAME_LEN characters, should
contain only letters, digits, dots and hyphens, no adjacent
dots, no leading or trailing dots or hyphens, no labels
longer than VALID_LABEL_LEN characters, and it should not
be all numeric.
https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/valid_utf8_hostname.c#L13-L17
valid_utf8_hostname() is a wrapper around valid_hostname().
If EAI support is compiled in, and enable_utf8 is true, the
name is converted from UTF-8 to ASCII per IDNA rules, before
invoking valid_hostname().
https://github.com/vdukhovni/postfix/blob/master/postfix/src/dns/dns_lookup.c#L80-L86
dns_lookup() looks up DNS resource records. When requested to
look up data other than type CNAME, it will follow a limited
number of CNAME indirections. All result names (including
null terminator) will fit a buffer of size DNS_NAME_LEN.
All name results are validated by \fIvalid_hostname\fR();
an invalid name is reported as a DNS_INVAL result, while
malformed replies are reported as transient errors.
This is not particularly different from other sorts of input validation
needed to avoid SQL injection attacks, shell command injection attacks,
and so forth.
$ git grep -Ecw 'valid(_utf8)?_hostname' 'src/*.c' | sort -t: -k2nr
src/util/valid_utf8_hostname.c:13
src/util/valid_hostname.c:9
src/dns/dns_lookup.c:6
src/smtpd/smtpd_check.c:6
src/util/midna_domain.c:6
src/smtp/smtp_tls_policy.c:5
src/smtpd/smtpd.c:5
src/global/mail_params.c:3
src/util/get_hostname.c:3
src/util/host_port.c:3
src/global/midna_adomain.c:2
src/postqueue/postqueue.c:2
src/postscreen/postscreen_dnsbl.c:2
src/smtpstone/qmqp-source.c:2
src/smtpstone/smtp-source.c:2
src/tls/tls_misc.c:2
src/trivial-rewrite/resolve.c:2
src/util/myaddrinfo.c:2
src/dnsblog/dnsblog.c:1
src/global/haproxy_srvr.c:1
src/global/mail_queue.c:1
src/global/valid_mailhost_addr.c:1
src/oqmgr/qmgr_message.c:1
src/qmgr/qmgr_message.c:1
--
Viktor.
More information about the dns-operations
mailing list