[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

[Paul Ebersman]

pe> DNS is a complicated, esoteric knowledge set. The reason apps,
pe> middleware and various other boxes mucking with DNS in transit tend
pe> to suck is exactly because the programmers on those boxes don't have
pe> this expertise and make all sorts of bad assumptions about what is
pe> safe/sane.

pe> Resolver coders are vastly more likely to have knowledge of what
pe> might break, what is unsafe, etc. And if they miss a check, the odds
pe> of said resolver coders finding this out quickly, and fixing it and
pe> getting it deployed, are much better than expecting apps or
pe> middleware box developers to do so.

dukhovni> The middleboxes will get it wrong, and will have stale
dukhovni> firmware for decades.  Do not place your trust in middleboxes.

Read what I wrote above. I pointed out middleware boxes as places with
mistake, not as where to try to fix it.

dukhovni> The sanest viable place to do *some* common validation is in
dukhovni> stub resolvers that support type-specific lookup functions
dukhovni> above the basic (qname, qtype) interface, also perhaps in the
dukhovni> system nsswitch and getaddrinfo()).

The sanest but far less likely to be implemented in apps or apps
libraries. Resolvers doing validation are far more likely to have
current code and DNS aware developers. It would be lovely if that were
in devices but is far more likely in the recursive resolvers they talk
to.