LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Potential pitfalls in DNS handling

Potential pitfalls in DNS handling

Posted Nov 15, 2012 22:30 UTC (Thu) by Comet (subscriber, #11646)
Parent article: Potential pitfalls in DNS handling

Answering several points at once:
* RFC2181 clarifies what the underlying protocol supports. It didn't change anything.
* DNS has always been this open; it's up to the application layer to impose restrictions. If you don't put in the restrictions yourself, you have no restrictions, so don't forget them. Then remember that common usage doesn't always match specifications -- eg, URLs often do end up with underscores in them.
* There isn't actually a generic specification for hostnames that I've ever found. There's old rules which applied to HOSTS.TXT; there are rules for mail domains; there are rules for hostnames as encountered in URLs. That's about it.
* Escaping: with modern Bind, you might need to export IDN_DISABLE=t into the environment before running dig(1) and friends, to avoid the IDN errors that might get thrown for parse issues. With that in mind, there is actually a quoting mechanism in common use, derived from RFC1035 section 5.1. RFC4343 is the one which extends this to be used more generally.
* If you validate hostnames from user input, don't forget to consider hostnames which you get from reverse DNS or from CNAME lookups, or NAPTR. You might leave it unmolested for pass-back to the DNS layer, but if you're passing it up, consider escaping.
* Whatever beliefs people have about what's allowed in a hostname: fine, now just make sure your code enforces it. :)

(Log in to post comments)

Potential pitfalls in DNS handling

Posted Nov 15, 2012 22:32 UTC (Thu) by Comet (subscriber, #11646) [Link]

Forgot I had this:
% host -lva f.e.e.b.d.a.e.d.1.3.0.0.8.9.8.0.2.0.a.2.ip6.arpa nlns.globnix.net

Sorry Jake, should have mentioned it before. That too is public DNS, it's just that it's only in IPv6 that I have enough public IPs spare to dedicate a dead:beef range to test purposes. ;)

Potential pitfalls in DNS handling

Posted Nov 16, 2012 13:10 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Whatever beliefs people have about what's allowed in a hostname: fine, now just make sure your code enforces it. :)

Indeed it would be foolish not to sanitize your (network!) inputs only on the basis that some specification restricts something.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds