[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Paul Ebersman list-dns-operations at dragon.net
Tue Aug 17 23:52:40 UTC 2021


pe> Resolver coders are vastly more likely to have knowledge of what
pe> might break, what is unsafe, etc. And if they miss a check, the odds
pe> of said resolver coders finding this out quickly, and fixing it and
pe> getting it deployed, are much better than expecting apps or
pe> middleware box developers to do so.

Just to be clear, I don't think this is the best architecture in a
perfect world. I'd love to see all apps using a solid DNS library, like
getdnsapi, doing their own validation, etc. and knowing what is/isn't
valid data. I just don't see that as a reasonable expectation any time
soon...



More information about the dns-operations mailing list