dns.query.https not validating IP-based DNS server's certificate

moshekaplan commented 3 months ago

Describe the bug dns.query.https with a where of an IP address does not validate that the DNS server's hostname matches the certificate. Rather, I'd expect it to raise an Exception or allow controlling this directly, as dns.query.tls does with the server_hostname argument.

To Reproduce Make a DNS request with dns.query.https to a DNS server via IP address with a valid certificate that does not include the IP in the SAN. Note that the request completes successfully, instead of raising an SSL certificate error.

domain = "www.google.com"
dns_server  = '1.2.3.4' # Made up

qname = dns.name.from_text(domain)
q = dns.message.make_query(qname, dns.rdatatype.A)
r = dns.query.tls(q, dns_server, verify=path_to_cert)

Context (please complete the following information):

dnspython version 2.6.1
Python version 3.10.6
OS: Windows 10

rthalley commented 3 months ago

I think we were assuming that httpx would handle this case, but it looks like we need to pass an sni_hostname extension in the request to get it to validate in that case. I will see about fixing this.

rthalley commented 2 months ago

Fixed!

moshekaplan commented 2 months ago

Thanks for the quick turnaround!

rthalley / dnspython

dns.query.https not validating IP-based DNS server's certificate #1125