Hi Christoph,
On 8/14/21 1:11 PM, Christoph via Pdns-users wrote:
We were wondering if there is an easy way in Recursor's configuration to
enable validation of hostnames similar to their python proof of concept
[4]?
We don't have such an option at the moment, although it would not be too
hard to implement via our Lua hooks.
> If there is no such option: Would you accept a feature request via GH
> to implement such an option?
I would personally not implement such a filter in a recursor, though, as
the authors themselves acknowledge it would be challenging not to block
legitimate records:
"Nevertheless, performing checks on DNS records is challenging: some
applications, like SRV service discovery [38], require domain names with
characters that are not allowed in hostnames (e.g., underscore).
Defining a list of allowed characters so that legitimate applications
would still work but injection attacks would be blocked should be
further investigated and is not straightforward. In particular, it is
difficult to foresee what characters and formats will be needed by
future applications, hence a ‘too-restrictive’ list of allowed
characters would make DNS less transparent, possibly introducing
obstacles in deployment of new applications, or when adding new versions
or new features to existing applications."
I would be willing to accept a new rule in dnsdist, though, validating
whether owner names and targets are valid hostnames, if there is any
interest.
I'm also interested in your opinions on whether such validation might
cause issues in practice.
My understanding is that restricting owner names and targets in queries
and responses to valid hostnames, in a resolver, would lead to issues
quite quickly, at the very least with SRV and SVCB records. I'm not
really convinced it can be implemented at the stub resolver level either
without breaking some applications.
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
