[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 18 00:22:29 UTC 2021


> On 17 Aug 2021, at 8:14 pm, Paul Ebersman <list-dns-operations at dragon.net> wrote:
> 
> The sanest but far less likely to be implemented in apps or apps
> libraries. Resolvers doing validation are far more likely to have
> current code and DNS aware developers. It would be lovely if that were
> in devices but is far more likely in the recursive resolvers they talk
> to.

A client using 8.8.8.8 as its iterative resolver and delegating all
input validation to that upstream becomes vulnerable not only to
data forgery, but also to validation bypass if an MiTM pretending to
be 8.8.8.8 returns unvalidated data.

The only stub resolver one can expect to not be bypassed is the
stub resolver in the OS libraries.  These stub resolvers vary from
OS to OS, and don't get a lot of maintainer attention.

So whether you like it or not, the burden is on the application,
and any higher level libraries known to deliver syntactically
validated results.

-- 
	Viktor.





More information about the dns-operations mailing list