Skip to content

Dns: Insufficient Bailiwick Validation for NS Records#16877

Merged
normanmaurer merged 1 commit into
4.1from
ns41
Jun 2, 2026
Merged

Dns: Insufficient Bailiwick Validation for NS Records#16877
normanmaurer merged 1 commit into
4.1from
ns41

Conversation

@normanmaurer

Copy link
Copy Markdown
Member

Motivation:

Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).

Modifications:

  • Add correct Bailiwick checks when caching NS.
  • Adjust tests

Result:

No more risk of cache poising

Motivation:

Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`).

Modifications:

- Add correct Bailiwick checks when caching NS.
- Adjust tests

Result:

No more risk of cache poising
@normanmaurer normanmaurer added this to the 4.1.135.Final milestone Jun 1, 2026
@normanmaurer normanmaurer added the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 1, 2026
@normanmaurer normanmaurer merged commit 6f19adf into 4.1 Jun 2, 2026
17 of 20 checks passed
@normanmaurer normanmaurer deleted the ns41 branch June 2, 2026 10:11
@netty-project-bot

Copy link
Copy Markdown
Contributor

Auto-port PR for 5.0: #16899

@github-actions github-actions Bot removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 2, 2026
chrisvest pushed a commit that referenced this pull request Jun 4, 2026
…16899)

Auto-port of #16877 to 5.0
Cherry-picked commit: 6f19adf

---
Motivation:

Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS
records, enabling DNS Cache Poisoning. An attacker controlling an
authoritative name server for a subdomain can poison the cache for
parent domains (like `.co.uk`).

Modifications:

- Add correct Bailiwick checks when caching NS.
- Adjust tests

Result:

No more risk of cache poising

Co-authored-by: Norman Maurer <norman_maurer@apple.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants