<div><div class="gmail_quote">On Tue, May 3, 2011 at 5:05 PM, Benny Amorsen <span dir="ltr"><<a href="mailto:benny%2Busenet@amorsen.dk">benny+usenet@amorsen.dk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">Simon Perreault <<a href="mailto:simon.perreault@viagenie.ca">simon.perreault@viagenie.ca</a>> writes:<br>
<br>
> An idea: we could apply a check (regex?) on the host name and warn if it<br>
> "strange", e.g. only digits.<br>
<br>
</div>The challenge is that Asterisk has a syntax which does not make it clear<br>
whether you are trying to dial an existing peer or just an unknown<br>
IP/hostname. This causes security issues -- if a peer does not<br>
exist for some reason, e.g. a database problem with realtime, you risk<br>
that Asterisk makes a call to a device you do not control. The problem<br>
only gets larger whenever a new valid syntax is added to getaddrinfo and<br>
whenever a new top level domain is added.<br>
<br>
It also causes Asterisk to do unnecessary DNS lookups which can block<br>
Asterisk for an extended time if the DNS server is slow to respond.<br>
<br>
Unfortunately the only real solution is to change the syntax of Dial().<br>
This is not likely to happen.<br>
<font color="#888888"><br>
<br>
/Benny<br>
</font><div><div></div><div class="h5"><br></div></div></blockquote><div>Not trying to butt in, but have been following this with interest.</div><div> </div><meta http-equiv="content-type" content="text/html; charset=utf-8">What about adding a config option that requires all dial strings to be existing or defined peers? If not defined and config option is set, reject it instead of trying to resolve it. It seems like this could provide more security and eliminated overhead of unexpected DNS queries.<div>
<br clear="all">Thanks!<div><br></div><div>David Ruggles</div></div></div></div>