Closed Bug 1657928 Opened 5 years ago Closed 5 years ago

Invalid hostname IP detection

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Version:
79 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: lexunin, Unassigned)

Details

Attachments

(1 file)

http_301_redirect.har
313.10 KB, text/plain
Details
Attached file http_301_redirect.har

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0

Steps to reproduce:

URL where the issue potentially can be reproduced, but if 'showheroes.com' will be no more delivered there HAR file is attached.

https://www.rtl.de/cms/42-tage-wettertrend-hundstage-2020-enden-im-absturz-4548149.html?utm_term=rtl-aktuell&utm_medium=echobox&utm_campaign=post&utm_source=Facebook

The case:

  • Page starts to load
    (filter network requests by showheroes.com)
  • First request goes to the domain receiver-hetzner.showheroes.com and domain IP gets resolved to 138.201.223.17. HTTP2 is in use.
  • Few requests after that, another request being made to the domain video-library.showheroes.com and for some reason it gets resolved to 138.201.223.17 as well (but should be one of the 167.233.6.*), but the IP even never were in the A-records DNS index for that domain. Nginx on our side makes 301 redirect and forwards the request to the domain receiver-hetzner.showheroes.com, and obviously fails with 404 error afterwards.

Actual results:

video-library.showheroes.com were resolved to 138.201.223.17

Expected results:

video-library.showheroes.com should be resolved to 167.233.6.11/167.233.6.12/167.233.6.13/167.233.6.14

Did you intend to mark this as a security-sensitive issue?

Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: DNS
Flags: needinfo?(lexunin)
Product: Firefox → Core

Well, better to be safe than sorry. If there is a bug which allows to redirect user's traffic from one domain to another IP address without user even noticing it, I suppose it's better to keep it in secret until it's fixed.

Flags: needinfo?(lexunin)

This site is using the Alt-Svc mechanism to coalesce the content over one HTTP/2 connection. If you disable it using the advanced preference network.http.altsvc.enabled it will use the IP addresses you expected.

specification: https://tools.ietf.org/html/rfc7838

Group: network-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

Thank you Daniel! We will investigate further. If you have any more details, we will appreciate if you would send us what to look at. Thanks again and have a nice weekend.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: