[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Lee ler762 at gmail.com
Tue Aug 17 23:27:15 UTC 2021


On 8/17/21, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> On 17 Aug 2021, at 1:17 pm, Lee <ler762 at gmail.com> wrote:
>>
>> If you have a system that uses systemd-resolved or dnsmasq you can test
>> them at
>>  https://xdi-attack.net/test.html
>>
>> For whatever it's worth, I get 'Your resolver is not vulnerable ...'
>> for each test if I have
>>  check-names response fail;
>> in my bind named.conf
>> But every single 'Special character filtering' test comes back 'was
>> not filtered by your resolver' if I remove check-names :(
>
> I am far from convinced that it is the resolvers job to enforce RDATA
> syntax restrictions beyond what is required for a valid wire form.
>
> If applications make unwarranted assumptions about the syntax of
> DNS replies, that's surely an application bug, rather than an issue
> in DNS.

I disagree.  Programmers f**k up _all the time_
  https://www.microsoft.com/en-us/securityengineering/sdl/about
    "In January 2002, Microsoft launched its Trustworthy Computing
initiative to help ensure Microsoft products and services were built
inherently highly secure, available, reliable..."

M$ is still shipping buggy software; blaming programmers hasn't helped.

Regards,
Lee



More information about the dns-operations mailing list