Skip to content

DnssecResolverApi.getClient() returns insecure dnsClient #141

New issue
New issue
Open
Open
DnssecResolverApi.getClient() returns insecure dnsClient#141
@Delicates

Description

@Delicates
Delicates
opened on Jun 25, 2024

The DnssecResolverApi class extends the ResolverApi and creates its own DnssecClient with its own secure separate cache, but it never overrides the inherited getClient() function.
https://github.com/MiniDNS/minidns/blob/master/minidns-hla/src/main/java/org/minidns/hla/DnssecResolverApi.java#L29

So the inherited DnssecResolverApi.getClient() returns an insecure DNS client that uses the shared global DEFAULT_CACHE.
https://github.com/MiniDNS/minidns/blob/master/minidns-hla/src/main/java/org/minidns/hla/ResolverApi.java#L219
https://github.com/MiniDNS/minidns/blob/master/minidns-client/src/main/java/org/minidns/AbstractDnsClient.java#L44

This results in DNS cache entries poisoned through previous insecure DNS client queries being accepted as DNSSEC valid without throwing exceptions.

As an example of impact, currently this shared insecure cache issue breaks DNSSEC enforcement in the following FairEmail code by @M66B when tested in a DNS hijacked environment:
https://github.com/M66B/FairEmail/blob/3783689572b77fc0d1870444fed403a3135f577f/app/src/main/java/eu/faircode/email/DnsHelper.java#L186

DnssecResolverApi class should override the inherited getClient() function to return the secure dnssecClient instead of the insecure dnsClient.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions