You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2010/08/27 06:24:53 UTC
[jira] Created: (TS-428) New DNS configuration option
New DNS configuration option
----------------------------
Key: TS-428
URL: https://issues.apache.org/jira/browse/TS-428
Project: Traffic Server
Issue Type: New Feature
Components: Documentation
Reporter: Leif Hedstrom
Assignee: Miles Libbey
Fix For: 2.2.0
There is a new DNS configuration option, from the records.config file:
# This provides additional resilience against DNS forgery, particularly in
# forward or transparent proxies, but requires that the resolver populates
# the queries section of the response properly.
CONFIG proxy.config.dns.validate_query_name INT 0
This setting is disabled by default, enabling it will force us to validate the name in response from the resolver to make sure it matches the request we made. This could potentially break if the resolver does not populate the queries section with the requested name.
Enabling this option is highly recommended, particularly for running ATS in a forward or transparent proxy configuration.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-428) New DNS configuration option
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12904637#action_12904637 ]
Leif Hedstrom commented on TS-428:
----------------------------------
>From Dirk-Willem Val Gulik:
> > On 08/30/2010 01:16 PM, Dirk-Willem van Gulik wrote:
>> >>
>> >> Still not clear to my why this is not the default (checking the RFC suggests this is fine).
> >
> > Would you be OK if we change this default for a 2.4 release ? Or you feel we need to change this to be for the 2.1.2 and subsequent (hopefully soon) 2.2 release?
I would simply not worry about it for now - and not change it. But I would strongly encourage you to add something to the documentation, the security section or some similar place like this.
I've found DNS Injection attacks to be pretty darn common in web infrastructures - and am always surprised at how easily one can get fairly deep in otherwise well sealed off infrastructures. Which is in part due to how products like TS are used - they often bridge old legacy systems, say in some ERP environment, or some old .NET, and that new web world.
So strong words of warning in the docs are goodness IMHO.
Thanks,
Dw.
> New DNS configuration option
> ----------------------------
>
> Key: TS-428
> URL: https://issues.apache.org/jira/browse/TS-428
> Project: Traffic Server
> Issue Type: New Feature
> Components: Documentation
> Reporter: Leif Hedstrom
> Assignee: Miles Libbey
> Fix For: 2.2.0
>
>
> There is a new DNS configuration option, from the records.config file:
> # This provides additional resilience against DNS forgery, particularly in
> # forward or transparent proxies, but requires that the resolver populates
> # the queries section of the response properly.
> CONFIG proxy.config.dns.validate_query_name INT 0
> This setting is disabled by default, enabling it will force us to validate the name in response from the resolver to make sure it matches the request we made. This could potentially break if the resolver does not populate the queries section with the requested name.
> Enabling this option is highly recommended, particularly for running ATS in a forward or transparent proxy configuration.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.