-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement custom DNS resolver #3988
Conversation
772be02
to
144925a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other then the missing cached
proc-macro it looks ok too me.
I tested it with DDoSing the Favicon endpoint, that seems to work ok.
I also did a longer test which test around 300 domains (including some duplicates with/without redirects). These all seem to work as on the current code.
Did some further testing and seems to work fine. Other than that, it's all good. |
I just had a brief look at the PR so maybe I missed it but is it possible to disable this feature in the configuration? I am already using a custom secure DNS solution and rather use that one as it gives me a more fine-grain control. |
It still uses the DNS servers provided by the host, so no need i think. |
99d1fab
to
0dd13e8
Compare
The goal of this change is to protect us more thoroughly against DNS rebinding attacks and redirects in the icons service, previously we did a manual lookup check before doing the initial HTTP request, which would leave us vulnerable, by inserting a middleware DNS resolver into reqwest we should be protected against all cases.
Also I noticed that with the
hickory-resolver
crate we can enable DNS over TLS and DNS over HTTPS, which seems like a great option, but we'd need to test further.Also moved the
is_global_ip
functions to utils, because it was crowding the already bigicons
file.