You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As mentioned in the Kubernetes docs, not all DNS clients respect the TTL of the returned records. Some clients cache DNS answers longer than they should, others resolve the domain names only once and cache the returned address.
This behavior can be problematic when used with fake-dns since the current implementation does not use a stable address for each domain, indeed, the address is always allocated from the lowest available addresses, and domains often point to expired entries. This behavior posts a great security risk when for example clients connect to what they think was a.com but got directed to b.com.
To mitigate this problem, it's best to use a stable mechanism when mapping domains to IP addresses. Often the IP pool is pretty large compared to the possible domain names, so a hash based, 'find-next-available address starting from some hashed address' strategy could satisfy the need for a stable address. Often the hashed address will be used, only in the rare case of a collision will the domain be mapped to some other address, reducing the risk significantly.
The strategy can be written as follows:
ip_base = map_to_ip_net(hash(domain_name))
ip = ip_base; do if ip available then assign(ip) else ip = ip + 1 until ip = ip_base;
if ip = ip_base (pool depleted, report error)
It should be pretty easy to implement as I have done ip translations(nat) like this in C.
The text was updated successfully, but these errors were encountered:
Sounds good. Could you make a PR for this? I personally don't use fake-dns in my daily environment, so I couldn't see the actual problem in the current implementation.
As mentioned in the Kubernetes docs, not all DNS clients respect the TTL of the returned records. Some clients cache DNS answers longer than they should, others resolve the domain names only once and cache the returned address.
This behavior can be problematic when used with fake-dns since the current implementation does not use a stable address for each domain, indeed, the address is always allocated from the lowest available addresses, and domains often point to expired entries. This behavior posts a great security risk when for example clients connect to what they think was
a.com
but got directed tob.com
.To mitigate this problem, it's best to use a stable mechanism when mapping domains to IP addresses. Often the IP pool is pretty large compared to the possible domain names, so a hash based, 'find-next-available address starting from some hashed address' strategy could satisfy the need for a stable address. Often the hashed address will be used, only in the rare case of a collision will the domain be mapped to some other address, reducing the risk significantly.
The strategy can be written as follows:
ip_base = map_to_ip_net(hash(domain_name))
ip = ip_base; do if ip available then assign(ip) else ip = ip + 1 until ip = ip_base;
if ip = ip_base (pool depleted, report error)
It should be pretty easy to implement as I have done ip translations(nat) like this in C.
The text was updated successfully, but these errors were encountered: