[asterisk-dev] [Code Review] Add getnameinfo() to ast_sockaddr_resolve ()

Olle E. Johansson oej at edvina.net
Wed May 4 00:45:35 CDT 2011


4 maj 2011 kl. 07.33 skrev Eric ManxPower Wieling:

> 
> 
> On 05/04/2011 12:04 AM, Tilghman Lesher wrote:
>> On Tuesday 03 May 2011 19:56:25 Eric "ManxPower" Wieling wrote:
>>> On 05/03/2011 04:55 PM, David Ruggles wrote:
>>>> On Tue, May 3, 2011 at 5:05 PM, Benny
>> Amorsen<benny+usenet at amorsen.dk>wrote:
>>>>> Simon Perreault<simon.perreault at viagenie.ca>   writes:
>>>>>> An idea: we could apply a check (regex?) on the host name and warn
>>>>>> if it "strange", e.g. only digits.
>>>>> 
>>>>> The challenge is that Asterisk has a syntax which does not make it
>>>>> clear whether you are trying to dial an existing peer or just an
>>>>> unknown IP/hostname. This causes security issues -- if a peer does
>>>>> not exist for some reason, e.g. a database problem with realtime,
>>>>> you risk that Asterisk makes a call to a device you do not control.
>>>>> The problem only gets larger whenever a new valid syntax is added to
>>>>> getaddrinfo and whenever a new top level domain is added.
>>>>> 
>>>>> It also causes Asterisk to do unnecessary DNS lookups which can block
>>>>> Asterisk for an extended time if the DNS server is slow to respond.
>>>>> 
>>>>> Unfortunately the only real solution is to change the syntax of
>>>>> Dial(). This is not likely to happen.
>>>>> 
>>>>> 
>>>>> /Benny
>>>>> 
>>>>> Not trying to butt in, but have been following this with interest.
>>>> 
>>>> What about adding a config option that requires all dial strings to be
>>>> existing or defined peers? If not defined and config option is set,
>>>> reject it instead of trying to resolve it. It seems like this could
>>>> provide more security and eliminated overhead of unexpected DNS
>>>> queries.
>>> 
>>> Do we need to support IP addresses that are not in quad dotted format?
>>> I can't imagine anyone using them.  A config file option could be
>>> created to allow addresses that are not quad dotted.
>> 
>> Yes, in particular, IPv6 addresses are not dotted quads and you will have
>> to deal with those addresses sometime in the next year or two, because
>> the IPv4 address space is nearly exhausted.
>> 
> 
> OK, support IPv6 too, the basic concept remains the same.
> 
Just to clarify to Benny: The dial string is parsed by the SIP channel, not the DIAL app. We could change syntax of the SIP dial string or add an option - like in chan_local - but in this case an option that says "don't try to resolve this in DNS".

I think that would be a good option to have.

/O




More information about the asterisk-dev mailing list