Spurious DNS lookups due to Host header?
mdounin at mdounin.ru
Thu Apr 14 20:11:36 UTC 2022
On Thu, Apr 14, 2022 at 10:56:58AM -0400, Jeffrey Walton wrote:
> Hi Everyone,
> I'm examining a webapp which had a scan looking for security related
> errata and vulnerabilities. The app is hosted on Google Cloud (GPC)
> and the webserver is Nginx. Only the app was scanned. GPC and Nginx
> were not scanned.
> The scan produced an interesting finding I have not seen before. The
> finding is, a HTTP Request using a fake Host: header produces a DNS
> lookup. I think the concern is a DNS amplification attack (or maybe
> just some extra traffic).
> I think this is how the errata or attack works. Below, theHost: header
> is different from the hostname at the TLS layer.
> echo -e "GET / HTTP/1.1\r\nHost:www.fake-example.com\r\n\r\n" | \
> openssl s_client -connect www.example.com:443 -servername www.example.com
> My question is, is Nginx expected to perform a lookup for www.fake-example.com?
No (unless you've configured nginx to do so).
More information about the nginx