Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth dnsproxy: document network ought to be trusted #14590

Merged
merged 1 commit into from
Aug 28, 2024
Merged

auth dnsproxy: document network ought to be trusted #14590

merged 1 commit into from
Aug 28, 2024

Conversation

zeha
Copy link
Collaborator

@zeha zeha commented Aug 27, 2024

Short description

We are reusing the source UDP port for a very long time. Cannot have people interfere or try to attack us with this design.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@coveralls
Copy link

coveralls commented Aug 27, 2024
edited
Loading

Pull Request Test Coverage Report for Build 10581875041

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 92 unchanged lines in 14 files lost coverage.
  • Overall coverage decreased (-0.03%) to 64.643%
Files with Coverage Reduction New Missed Lines %
modules/gpgsqlbackend/gpgsqlbackend.cc 1 88.62%
pdns/misc.cc 1 63.32%
pdns/pollmplexer.cc 1 83.66%
pdns/backends/gsql/gsqlbackend.hh 2 97.71%
pdns/rcpgenerator.cc 2 90.05%
modules/godbcbackend/sodbc.cc 2 70.8%
modules/gpgsqlbackend/spgsql.cc 3 67.7%
pdns/recursordist/rec-tcp.cc 4 65.03%
pdns/dnsdistdist/dnsdist.cc 4 68.44%
pdns/recursordist/pdns_recursor.cc 4 72.64%
Totals Coverage Status
Change from base Build 10579511995: -0.03%
Covered Lines: 124597
Relevant Lines: 162057
💛 - Coveralls

rgacogne
rgacogne reviewed Aug 27, 2024
View reviewed changes
docs/settings.rst Outdated
@@ -1541,6 +1541,8 @@ Number of receiver (listening) threads to start. See :doc:`performance`.

Recursive DNS server to use for ALIAS lookups and the internal stub resolver. Only one address can be given.

It is assumed that the network path to the recursive DNS server, and the recursive DNS server itself is trusted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps?

Suggested change
It is assumed that the network path to the recursive DNS server, and the recursive DNS server itself is trusted.
It is assumed that the network path to the recursive DNS server, and the recursive DNS server itself, are trusted.

@zeha
auth dnsproxy: document network ought to be trusted
f3e612b 
We are reusing the source UDP port for a very long time. Cannot have
people interfere or try to attack us then.
@zeha
Copy link
Collaborator Author

zeha commented Aug 27, 2024

rewrote it, but lets see if we still need this after #14594

@Habbie
Copy link
Member

Habbie commented Aug 28, 2024

rewrote it, but lets see if we still need this after #14594

we don't magically start validating DNSSEC or using TSIG in there, so the recommendation likely still makes sense then

@Habbie Habbie merged commit 97239e5 into PowerDNS:master Aug 28, 2024
78 of 79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rgacogne rgacogne rgacogne left review comments

@Habbie Habbie Habbie approved these changes

Assignees
No one assigned
Labels
auth docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zeha @coveralls @Habbie @rgacogne