[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Tue Aug 17 21:12:32 UTC 2021

Libresolv also had checking functions added last century when sendmail accepted colons in hostnames causing havoc as it used a colon separated record in its processing. 

BIND’s libdns has checking functions in it as well. 

Everything that comes off the wire needs to be checked.  Occasionally some checks will be missed. 
-- 
Mark Andrews

> On 18 Aug 2021, at 06:50, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
>> 
>> On 17 Aug 2021, at 4:17 pm, Tony Finch <dot at dotat.at> wrote:
>> 
>> So I don't think the problems can be dismissed as simply application bugs:
>> the problems come from mismatches in expectations at the boundary between
>> the DNS and the applications. And the DNS is notorious (the subject of
>> memes!) for being far too difficult to use correctly.
> 
> I remain unconvinced.  The DNS-library's job is to accurately return
> the DNS query payload to the application.  If the application further
> expects some particular syntax, then it needs to check for that, e.g.:
> 
>  https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/valid_hostname.c#L28-L34
> 
>    valid_hostname() scrutinizes a hostname: the name should
>    be no longer than VALID_HOSTNAME_LEN characters, should
>    contain only letters, digits, dots and hyphens, no adjacent
>    dots, no leading or trailing dots or hyphens, no labels
>    longer than VALID_LABEL_LEN characters, and it should not
>    be all numeric.
> 
>  https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/valid_utf8_hostname.c#L13-L17
> 
>    valid_utf8_hostname() is a wrapper around valid_hostname().
>    If EAI support is compiled in, and enable_utf8 is true, the
>    name is converted from UTF-8 to ASCII per IDNA rules, before
>    invoking valid_hostname().
> 
>  https://github.com/vdukhovni/postfix/blob/master/postfix/src/dns/dns_lookup.c#L80-L86
> 
>    dns_lookup() looks up DNS resource records. When requested to
>    look up data other than type CNAME, it will follow a limited
>    number of CNAME indirections. All result names (including
>    null terminator) will fit a buffer of size DNS_NAME_LEN.
>    All name results are validated by \fIvalid_hostname\fR();
>    an invalid name is reported as a DNS_INVAL result, while
>    malformed replies are reported as transient errors.
> 
> This is not particularly different from other sorts of input validation
> needed to avoid SQL injection attacks, shell command injection attacks,
> and so forth.
> 
> $ git grep -Ecw 'valid(_utf8)?_hostname' 'src/*.c' | sort -t: -k2nr
> src/util/valid_utf8_hostname.c:13
> src/util/valid_hostname.c:9
> src/dns/dns_lookup.c:6
> src/smtpd/smtpd_check.c:6
> src/util/midna_domain.c:6
> src/smtp/smtp_tls_policy.c:5
> src/smtpd/smtpd.c:5
> src/global/mail_params.c:3
> src/util/get_hostname.c:3
> src/util/host_port.c:3
> src/global/midna_adomain.c:2
> src/postqueue/postqueue.c:2
> src/postscreen/postscreen_dnsbl.c:2
> src/smtpstone/qmqp-source.c:2
> src/smtpstone/smtp-source.c:2
> src/tls/tls_misc.c:2
> src/trivial-rewrite/resolve.c:2
> src/util/myaddrinfo.c:2
> src/dnsblog/dnsblog.c:1
> src/global/haproxy_srvr.c:1
> src/global/mail_queue.c:1
> src/global/valid_mailhost_addr.c:1
> src/oqmgr/qmgr_message.c:1
> src/qmgr/qmgr_message.c:1
> 
> -- 
>    Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations