[PR #2118] [MERGED] Validate response query section #2820

New issue

Closed

opened 2026-03-16 11:10:05 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:10:05 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2118
Author: @marcus0x62
Created: 12/25/2023
Status: ✅ Merged
Merged: 1/1/2024
Merged by: @bluejekyll

Base: main ← Head: validate_query_answer

📝 Commits (3)

44c975c Validate query response section
ad216e1 call to .iter().any() should be .iter().all()
7dd7f3e Perform transaction id validation before query name validation

📊 Changes

1 file changed (+46 additions, -10 deletions)

View changed files

📝 crates/proto/src/udp/udp_client_stream.rs (+46 -10)

📄 Description

This patch improves resistance against cache poisoning by validating that if a candidate response message has a questions section, that each query name was present in the query section of the original request. So, for instance, if a client queries for 'example.com' and the remote resolver returns either an answer for 'baddomain.com' OR answers for both 'example.com' and 'baddomain.com', we log a warning message and drop the response.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2118 **Author:** [@marcus0x62](https://github.com/marcus0x62) **Created:** 12/25/2023 **Status:** ✅ Merged **Merged:** 1/1/2024 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `validate_query_answer` --- ### 📝 Commits (3) - [`44c975c`](https://github.com/hickory-dns/hickory-dns/commit/44c975c600cd0948da03b9e39b3c3690cfdcb217) Validate query response section - [`ad216e1`](https://github.com/hickory-dns/hickory-dns/commit/ad216e1678b0d77046dafe8b74ad4abb44cd8aae) call to .iter().any() should be .iter().all() - [`7dd7f3e`](https://github.com/hickory-dns/hickory-dns/commit/7dd7f3e792471a17653f0b5dccea7df5e37aa2f8) Perform transaction id validation before query name validation ### 📊 Changes **1 file changed** (+46 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `crates/proto/src/udp/udp_client_stream.rs` (+46 -10) </details> ### 📄 Description This patch improves resistance against cache poisoning by validating that if a candidate response message has a questions section, that each query name was present in the query section of the original request. So, for instance, if a client queries for 'example.com' and the remote resolver returns either an answer for 'baddomain.com' OR answers for both 'example.com' and 'baddomain.com', we log a warning message and drop the response. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>