Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Suggestion] Use hash based domain-address mapping in fake-dns. #1906

Open
elementary-particle opened this issue Mar 9, 2025 · 1 comment

Comments

@elementary-particle
Copy link

As mentioned in the Kubernetes docs, not all DNS clients respect the TTL of the returned records. Some clients cache DNS answers longer than they should, others resolve the domain names only once and cache the returned address.

This behavior can be problematic when used with fake-dns since the current implementation does not use a stable address for each domain, indeed, the address is always allocated from the lowest available addresses, and domains often point to expired entries. This behavior posts a great security risk when for example clients connect to what they think was a.com but got directed to b.com.

To mitigate this problem, it's best to use a stable mechanism when mapping domains to IP addresses. Often the IP pool is pretty large compared to the possible domain names, so a hash based, 'find-next-available address starting from some hashed address' strategy could satisfy the need for a stable address. Often the hashed address will be used, only in the rare case of a collision will the domain be mapped to some other address, reducing the risk significantly.

The strategy can be written as follows:
ip_base = map_to_ip_net(hash(domain_name))
ip = ip_base; do if ip available then assign(ip) else ip = ip + 1 until ip = ip_base;
if ip = ip_base (pool depleted, report error)

It should be pretty easy to implement as I have done ip translations(nat) like this in C.

@zonyitoo
Copy link
Collaborator

zonyitoo commented Mar 10, 2025

Sounds good. Could you make a PR for this? I personally don't use fake-dns in my daily environment, so I couldn't see the actual problem in the current implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants