Spurious DNS lookups due to Host header?

Maxim Dounin mdounin at mdounin.ru
Thu Apr 14 20:11:36 UTC 2022


On Thu, Apr 14, 2022 at 10:56:58AM -0400, Jeffrey Walton wrote:

> Hi Everyone,
> I'm examining a webapp which had a scan looking for security related
> errata and vulnerabilities. The app is hosted on Google Cloud (GPC)
> and the webserver is Nginx. Only the app was scanned. GPC and Nginx
> were not scanned.
> The scan produced an interesting finding I have not seen before. The
> finding is, a HTTP Request using a fake Host: header produces a DNS
> lookup. I think the concern is a DNS amplification attack (or maybe
> just some extra traffic).
> I think this is how the errata or attack works. Below, theHost: header
> is different from the hostname at the TLS layer.
>     echo -e "GET / HTTP/1.1\r\nHost:www.fake-example.com\r\n\r\n" | \
>     openssl s_client -connect www.example.com:443 -servername www.example.com
> My question is, is Nginx expected to perform a lookup for www.fake-example.com?

No (unless you've configured nginx to do so).

Maxim Dounin

More information about the nginx mailing list