[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Andrew Sullivan ajs at anvilwalrusden.com
Wed Aug 18 00:18:46 UTC 2021


On Tue, Aug 17, 2021 at 09:17:24PM +0100, Tony Finch wrote:

>common cause of security problems: when it isn't clear whose
>responsibility it is to enforce an important restriction, in this case,
>hostname syntax vs. DNS name (lack of) syntax. And different implementers
>have made different choices, for instance whether the libc stub resolver
>enforces hostname syntax or not.

This has been a source of trouble essentially forever.  But "fixing" it in the resolver itself is, I'd suggest, a bad idea unless one creates different calls to the resolver.  There's an argument to be made for that, of course.  As I recall things, the getdnsapi effort was an attempt among other things to provide the calls necessary to ask for various kinds of raw or pre-baked responses, and this would be in line with that sort of thing.  I have long believed that a huge part of the problem is the deficiency of the standard library, and if we could find a way to make an extended library more attractive to application programmers it'd be IMO great.

>if an application needs something more fancy than getaddrinfo(), it has to
>contend with the low-level resolver API which is just about better than
>nothing for parsing DNS packets, but certainly won't help you handle names
>that ought to have restricted syntax (service names, mail domains, etc...)

Hence https://getdnsapi.net/

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list