[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Paul Ebersman list-dns-operations at dragon.net
Tue Aug 17 23:49:04 UTC 2021

dukhovni> I am far from convinced that it is the resolvers job to
dukhovni> enforce RDATA syntax restrictions beyond what is required for
dukhovni> a valid wire form.

dukhovni> If applications make unwarranted assumptions about the syntax
dukhovni> of DNS replies, that's surely an application bug, rather than
dukhovni> an issue in DNS.

ler762> I disagree.  Programmers f**k up _all the time_
ler762> M$ is still shipping buggy software; blaming programmers hasn't
ler762> helped.

I'm with Lee.

DNS is a complicated, esoteric knowledge set. The reason apps,
middleware and various other boxes mucking with DNS in transit tend to
suck is exactly because the programmers on those boxes don't have this
expertise and make all sorts of bad assumptions about what is safe/sane.

Resolver coders are vastly more likely to have knowledge of what might
break, what is unsafe, etc. And if they miss a check, the odds of said
resolver coders finding this out quickly, and fixing it and getting it
deployed, are much better than expecting apps or middleware box
developers to do so.

More information about the dns-operations mailing list