[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Wed Aug 18 16:31:35 UTC 2021


On 18/08/2021 01.49, Paul Ebersman wrote:
> DNS is a complicated, esoteric knowledge set. The reason apps,
> middleware and various other boxes mucking with DNS in transit tend to
> suck is exactly because the programmers on those boxes don't have this
> expertise and make all sorts of bad assumptions about what is safe/sane.

I typically put the blame on them trying to dissect what they don't 
understand instead of using some library or tool that does. OK, perhaps 
the toolset could be improved, but I don't think we can make the DNS 
*protocol* itself easy (not anymore; maaaybe after a big incompatible 
redesign but who dares to push for that).

It's similar to why you should not code TLS yourself, though there it's 
more obvious that you'll be prone to security bugs.

--Vladimir | knot-resolver.cz




More information about the dns-operations mailing list