[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS
Andrew Sullivan
ajs at anvilwalrusden.com
Wed Aug 18 00:18:46 UTC 2021
Hi,
On Tue, Aug 17, 2021 at 09:17:24PM +0100, Tony Finch wrote:
>common cause of security problems: when it isn't clear whose
>responsibility it is to enforce an important restriction, in this case,
>hostname syntax vs. DNS name (lack of) syntax. And different implementers
>have made different choices, for instance whether the libc stub resolver
>enforces hostname syntax or not.
This has been a source of trouble essentially forever. But "fixing" it in the resolver itself is, I'd suggest, a bad idea unless one creates different calls to the resolver. There's an argument to be made for that, of course. As I recall things, the getdnsapi effort was an attempt among other things to provide the calls necessary to ask for various kinds of raw or pre-baked responses, and this would be in line with that sort of thing. I have long believed that a huge part of the problem is the deficiency of the standard library, and if we could find a way to make an extended library more attractive to application programmers it'd be IMO great.
>if an application needs something more fancy than getaddrinfo(), it has to
>contend with the low-level resolver API which is just about better than
>nothing for parsing DNS packets, but certainly won't help you handle names
>that ought to have restricted syntax (service names, mail domains, etc...)
Hence https://getdnsapi.net/
Best regards,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list