dnspython icon indicating copy to clipboard operation
dnspython copied to clipboard
verified publisher icon rthalley

dns.query.https not validating IP-based DNS server's certificate

Open moshekaplan opened this issue 1 year ago • 1 comments

Describe the bug dns.query.https with a where of an IP address does not validate that the DNS server's hostname matches the certificate. Rather, I'd expect it to raise an Exception or allow controlling this directly, as dns.query.tls does with the server_hostname argument.

To Reproduce Make a DNS request with dns.query.https to a DNS server via IP address with a valid certificate that does not include the IP in the SAN. Note that the request completes successfully, instead of raising an SSL certificate error.

domain = "www.google.com"
dns_server  = '1.2.3.4' # Made up

qname = dns.name.from_text(domain)
q = dns.message.make_query(qname, dns.rdatatype.A)
r = dns.query.tls(q, dns_server, verify=path_to_cert)

Context (please complete the following information):

  • dnspython version 2.6.1
  • Python version 3.10.6
  • OS: Windows 10

moshekaplan avatar Aug 28 '24 19:08 moshekaplan

I think we were assuming that httpx would handle this case, but it looks like we need to pass an sni_hostname extension in the request to get it to validate in that case. I will see about fixing this.

rthalley avatar Aug 28 '24 20:08 rthalley

Fixed!

rthalley avatar Sep 14 '24 15:09 rthalley

Thanks for the quick turnaround!

moshekaplan avatar Sep 15 '24 01:09 moshekaplan