[asterisk-dev] [Code Review] Add getnameinfo() to ast_sockaddr_resolve ()

[Tilghman Lesher]

On Tuesday 03 May 2011 19:56:25 Eric "ManxPower" Wieling wrote:
> On 05/03/2011 04:55 PM, David Ruggles wrote:
> > On Tue, May 3, 2011 at 5:05 PM, Benny 
Amorsen<benny+usenet at amorsen.dk>wrote:
> >> Simon Perreault<simon.perreault at viagenie.ca>  writes:
> >>> An idea: we could apply a check (regex?) on the host name and warn
> >>> if it "strange", e.g. only digits.
> >> 
> >> The challenge is that Asterisk has a syntax which does not make it
> >> clear whether you are trying to dial an existing peer or just an
> >> unknown IP/hostname. This causes security issues -- if a peer does
> >> not exist for some reason, e.g. a database problem with realtime,
> >> you risk that Asterisk makes a call to a device you do not control.
> >> The problem only gets larger whenever a new valid syntax is added to
> >> getaddrinfo and whenever a new top level domain is added.
> >> 
> >> It also causes Asterisk to do unnecessary DNS lookups which can block
> >> Asterisk for an extended time if the DNS server is slow to respond.
> >> 
> >> Unfortunately the only real solution is to change the syntax of
> >> Dial(). This is not likely to happen.
> >> 
> >> 
> >> /Benny
> >> 
> >> Not trying to butt in, but have been following this with interest.
> > 
> > What about adding a config option that requires all dial strings to be
> > existing or defined peers? If not defined and config option is set,
> > reject it instead of trying to resolve it. It seems like this could
> > provide more security and eliminated overhead of unexpected DNS
> > queries.
> 
> Do we need to support IP addresses that are not in quad dotted format?
> I can't imagine anyone using them.  A config file option could be
> created to allow addresses that are not quad dotted.

Yes, in particular, IPv6 addresses are not dotted quads and you will have
to deal with those addresses sometime in the next year or two, because
the IPv4 address space is nearly exhausted.

-- 
Tilghman