Skip to content

Auto-port 5.0: DNS: Only cache CNAME if part of the queried domain#16898

Merged
chrisvest merged 1 commit into
5.0from
auto-port-pr-16873-to-5.0
Jun 4, 2026
Merged

Auto-port 5.0: DNS: Only cache CNAME if part of the queried domain#16898
chrisvest merged 1 commit into
5.0from
auto-port-pr-16873-to-5.0

Conversation

@netty-project-bot

Copy link
Copy Markdown
Contributor

Auto-port of #16873 to 5.0
Cherry-picked commit: 5749d78


Motivation:

We should only cache the CNAME if it is part of the queried domain to ensure the name server is really authoritive for it and not provide us incorrect data.

Modifications:

  • Only cache if CNAME is part of the queried domain
  • Add unit test

Result:

No more DNS Cache Poisoning (Bailiwick Bypass) possible

Motivation:

We should only cache the CNAME if it is part of the queried domain to
ensure the name server is really authoritive for it and not provide us
incorrect data.

Modifications:

- Only cache if CNAME is part of the queried domain
- Add unit test

Result:

No more DNS Cache Poisoning (Bailiwick Bypass) possible

(cherry picked from commit 5749d78)
@chrisvest chrisvest added this to the 5.0.0.Final milestone Jun 2, 2026
@chrisvest chrisvest merged commit 46416f4 into 5.0 Jun 4, 2026
12 of 13 checks passed
@chrisvest chrisvest deleted the auto-port-pr-16873-to-5.0 branch June 4, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants