Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2171

Document or prohibit unix domain sockets in srv records

XMLWordPrintableJSON

    • Type: Icon: Spec Change Spec Change
    • Resolution: Unresolved
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Component/s: Connection String
    • None
    • Needed

      https://github.com/mongodb/specifications/blob/master/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.rst#specification says:

      >  The format [of the connection string] is:

mongodb+srv://{hostname}.{domainname}/{options}

      This is however misleading, because in addition to DNS hostnames the drivers also accept unix domain socket paths. Coupled with DNS seed list discovery, this permits an attacker able to forge DNS responses to force a driver to establish local unix socket connections. I think this behavior will come as a surprise to system administrators tasked with security policy compliance.

      I think DNS seed list discovery spec should either be amended to explicitly acknowledge that DNS records can resolve to local socket connections, or prohibit the driver from accepting unix socket paths from DNS records.

            Assignee:
            Unassigned Unassigned
            Reporter:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: