[asterisk-dev] [Code Review] Add getnameinfo() to ast_sockaddr_resolve ()
Eric "ManxPower" Wieling
eric at fnords.org
Wed May 4 00:33:01 CDT 2011
On 05/04/2011 12:04 AM, Tilghman Lesher wrote:
> On Tuesday 03 May 2011 19:56:25 Eric "ManxPower" Wieling wrote:
>> On 05/03/2011 04:55 PM, David Ruggles wrote:
>>> On Tue, May 3, 2011 at 5:05 PM, Benny
> Amorsen<benny+usenet at amorsen.dk>wrote:
>>>> Simon Perreault<simon.perreault at viagenie.ca> writes:
>>>>> An idea: we could apply a check (regex?) on the host name and warn
>>>>> if it "strange", e.g. only digits.
>>>>
>>>> The challenge is that Asterisk has a syntax which does not make it
>>>> clear whether you are trying to dial an existing peer or just an
>>>> unknown IP/hostname. This causes security issues -- if a peer does
>>>> not exist for some reason, e.g. a database problem with realtime,
>>>> you risk that Asterisk makes a call to a device you do not control.
>>>> The problem only gets larger whenever a new valid syntax is added to
>>>> getaddrinfo and whenever a new top level domain is added.
>>>>
>>>> It also causes Asterisk to do unnecessary DNS lookups which can block
>>>> Asterisk for an extended time if the DNS server is slow to respond.
>>>>
>>>> Unfortunately the only real solution is to change the syntax of
>>>> Dial(). This is not likely to happen.
>>>>
>>>>
>>>> /Benny
>>>>
>>>> Not trying to butt in, but have been following this with interest.
>>>
>>> What about adding a config option that requires all dial strings to be
>>> existing or defined peers? If not defined and config option is set,
>>> reject it instead of trying to resolve it. It seems like this could
>>> provide more security and eliminated overhead of unexpected DNS
>>> queries.
>>
>> Do we need to support IP addresses that are not in quad dotted format?
>> I can't imagine anyone using them. A config file option could be
>> created to allow addresses that are not quad dotted.
>
> Yes, in particular, IPv6 addresses are not dotted quads and you will have
> to deal with those addresses sometime in the next year or two, because
> the IPv4 address space is nearly exhausted.
>
OK, support IPv6 too, the basic concept remains the same.
More information about the asterisk-dev
mailing list