Vulnerability in the ldns_blocking plugin.

[jedisct1]

Bad news, there is a vulnerability in the ldns_blocking plugin.

An IPv4 address present in the set of IPs to blocked will be blocked for an A query.

However, IPv4 addresses can also be encoded as IPv6 addresses. For example ::ffff:216.58.201.142 is equivalent to 216.58.201.142.

With an AAAA record containing such an IPv4-in-IPv6 address, the ldns_blocking plugin will not spot the IPv4 address and let the query go through.

CUrl is an example of a client that will connect to the IPv4 address even though it was obtained from an AAAA record, and I guess many HTTP clients and browsers will behave the same way. A malicious website can thus bypass IP-based DNS filters.

[jedisct1]

A quick and ugly way to address this could just be to skip a ::ffff: prefix from answer_str before calling fpst_str_starts_with_existing_key().

I don't think anything else starting with ::ffff: would be routed, but checking that there is at least a dot somewhere after that prefix cannot hurt.

A cleaner way would be to call ldns_rdf2native_sockaddr_storage() and then IN6_IS_ADDR_V4MAPPED() on an IPv6 result.

[jaromil]

Well spotted. This likely also affects our plugin in dowse, or at least its worth checking.