惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
I
InfoQ
宝玉的分享
宝玉的分享
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Privacy International News Feed
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
Vulnerabilities – Threatpost
NISL@THU
NISL@THU
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
C
Cisco Blogs
T
The Blog of Author Tim Ferriss
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
雷峰网
雷峰网
Know Your Adversary
Know Your Adversary
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
博客园 - Franky
博客园 - 【当耐特】
Hugging Face - Blog
Hugging Face - Blog
The Hacker News
The Hacker News
K
Kaspersky official blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tailwind CSS Blog
Project Zero
Project Zero
T
Tor Project blog
B
Blog RSS Feed
Recorded Future
Recorded Future
Scott Helme
Scott Helme
美团技术团队
V
V2EX
V
Visual Studio Blog
L
Lohrmann on Cybersecurity
P
Proofpoint News Feed
D
DataBreaches.Net
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
L
LangChain Blog
Cisco Talos Blog
Cisco Talos Blog
博客园 - 三生石上(FineUI控件)
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
P
Privacy & Cybersecurity Law Blog

Security on CoreDNS: DNS and Service Discovery

暂无文章

Cure53 Security Assessment
coredns · 2018-03-15 · via Security on CoreDNS: DNS and Service Discovery

Being an incubating CNCF project makes us eligible for nice things like a security assessment (cue ominous music).

The CNCF asked Cure53 to perform such an assessment.

TL;DR: CoreDNS is in good shape, but Cure53 did find one critical issue (which we’ve fixed with the CoreDNS 1.1.1 release):

DNS-01-003 Cache: DNS Cache poisoning via malicious Response (Critical)

The CoreDNS application allows to configure the caching of the DNS responses via the cache plugin. It was discovered that CoreDNS only verifies the transaction IDs but fails to check whether the domain in a request matches the response. This can be abused to inject malicious A records in the cache of the DNS server. As the CoreDNS application has a different cache for each domain

The other three issues found will be tracked via GitHub issues, like plugin/rewrite: log bypass, and [plugin/secondary: Denial-of-Service via endless Zone Transfer](plugin/secondary: Denial-of-Service via endless Zone Transfer). Third one was a generic DDoS.

On a positive note the final report includes quotes like these:

The CoreDNS software tested by Cure53 during this March 2018 assessment has made a clearly positive impression.

To conclude, even though four issues were found during this Cure53 assessment, they were generally - with a single exception - minor, miscellaneous and manageable. Despite Cure53 testers’ considerable efforts, the software was found to be hard to corrupt. Therefore, the CoreDNS project stands out as secure, robust and legitimately security-aware.

The full report can be found here. As for future improvements in CoreDNS: we will increase the use of fuzzing, increase test coverage and look closer at DNS DoS mitigations, such as DNS Cookies (described in RFC 7873).