Closed chris-wood closed 3 years ago
This must definitely be expanded on. Right now one of the public ODoH proxy servers permits a query such as
curl -sid '' -Acontent-type:application/oblivious-dns-message 'https://proxyhost/proxy?targethost=example.org&targetpath=/'
Suggestions:
localhost:1337/bad
) and target path (forbidding query parameters such as /echo?content-type=application/oblivious-dns-message
).The above header checks might be too late. To reduce the likelihood of abuse, the proxy could perform checks for new hosts. Assuming that the ODoH target is public, the proxy could check for the odohconfig
HTTPS/SVCB parameter and refuse service if not found.
@skepticfx, can you please have a look here?
Following up on the proposals above:
I also like the recommendation that the proxy check for the HTTPS odohconfig
parameter in all permitted targets (whether or not there is an allow list of targets).
I'll put together a PR to address these.
A colluding client and target could always allow abuse of proxies. Can the proxy deny requests to a target if it deems the target is not a valid oDoH server? In that case, what would be an appropriate error code?
Agree with the recommendations above about validating the HTTP request path and query parameters to always conform with what is allowed in the oDoH protocol. This prevents the general open proxy abuse. ( The target need not be colluding here, just the client is malicious here).
However am not sure how the odohconfig
helps against the abuse of a colluding client and target.
A colluding client and target can currently use proxies to send anything. This might be worth noting in the security considerations.