Spurious DNS lookups due to Host header?

Jeffrey Walton noloader at gmail.com
Thu Apr 14 14:56:58 UTC 2022

Hi Everyone,

I'm examining a webapp which had a scan looking for security related
errata and vulnerabilities. The app is hosted on Google Cloud (GPC)
and the webserver is Nginx. Only the app was scanned. GPC and Nginx
were not scanned.

The scan produced an interesting finding I have not seen before. The
finding is, a HTTP Request using a fake Host: header produces a DNS
lookup. I think the concern is a DNS amplification attack (or maybe
just some extra traffic).

I think this is how the errata or attack works. Below, theHost: header
is different from the hostname at the TLS layer.

    echo -e "GET / HTTP/1.1\r\nHost:www.fake-example.com\r\n\r\n" | \
    openssl s_client -connect www.example.com:443 -servername www.example.com

My question is, is Nginx expected to perform a lookup for www.fake-example.com?

(At this point I have not ruled out GPC doing the DNS lookup. Nginx
has a public mailing list, so it is easier to start here than trying
to use Google {non-}support).


More information about the nginx mailing list