Hi,
in the light of a recent Usenix paper "Injection Attacks Reloaded:
Tunnelling Malicious Payloads over DNS" [1],
we tested our dnsdist -> PowerDNS Recursor setup [2]
with the following results:
(quoting from their test page [3])
Special character filtering
These tests will test if your resolver validates hostnames per RFC952. Other
than domain names, which can contain arbitrary characters, hostnames are only
allowed to contain the characters [0-9a-z-.]. To reduce the chance the an
application which is unaware of this is attacked using a domain name containg
an injection payloads, stub resolvers should thereby filtering such names.
The test domain containing a slash (/) was not filtered by your resolver.
The test domain containing an at (@) was not filtered by your resolver.
The test domain containing an XSS payload (<img/src=''/onerror='alert("xss")'>)
was not filtered by your resolver.
The test domain containing an SQLi payload (a'OR''=''--) was not filtered by
your resolver.
The test domain containing an ANSI escape sequence (\027[31\;1\;4mHello\027[0m)
was not filtered by your resolver.
We were wondering if there is an easy way in Recursor's configuration to
enable validation of hostnames similar to their python proof of concept
[4]?
If there is no such option: Would you accept a feature request via GH
to implement such an option?
I'm also interested in your opinions on whether such validation might
cause issues in practice.
best regards,
Christoph
[1] https://www.usenix.org/system/files/sec21-jeitner.pdf
[2] https://applied-privacy.net/services/dns/
[3] https://xdi-attack.net/test.html
[4] https://xdi-attack.net/proxy.html
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
