Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unresolvable dnslink record allows /ipfs/ traffic #4973

Closed
sixcorners opened this issue Apr 24, 2018 · 3 comments · Fixed by #4977
Closed

unresolvable dnslink record allows /ipfs/ traffic #4973

sixcorners opened this issue Apr 24, 2018 · 3 comments · Fixed by #4977
Assignees
@Stebalien
Labels
kind/bug A bug in existing code (including security flaws)

Comments

@sixcorners
Copy link

Version information:

go-ipfs version: 0.4.13-3b16b74
Repo version: 6
System version: amd64/linux
Golang version: go1.9.2

Docker image: ipfs/go-ipfs:latest@sha256:9e954a28f694b1d6e3ae0af1b374a498913b262069e926cdd5728b7f630149c8

Type:

Bug

Description:

Normally when you have a dnslink text record on a domain you can't access arbitrary stuff out of ipfs.
I set up a dnslink record to point to the wikipedia mirror:

$ dig +short txt wikipedia.sixcorners.info
"dnslink=/ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV"

/ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV stopped working. I don't really know why. I created an issue about that here: ipfs/distributed-wikipedia-mirror#52
Now this link works after a short delay:
https://wikipedia.sixcorners.info/ipfs/QmS4ustL54uo8FzR9455qaxZwuMiUhyvMcX9Ba8nUH4uVv/

I would assume the expected behavior would be for the server to respond with a 404 or something.
@Stebalien
Copy link
Member

I assume you're running an IPFS gateway at wikipedia.sixcorners.info? Setting a dnslink record on your DNS server isn't going to affect your IPFS node; it's still an IPFS gateway.

If you want to limit the paths that can be resolved through your gateway, you can set the Gateway.PathPrefixes config option to, e.g., ["/ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV"]:

> ipfs config --json Gatway.PathPrefixes `["/ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV"]

That should configure the IPFS gateway to only resolve paths starting with /ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV.

@Stebalien Stebalien added the kind/support A question or request for support label Apr 25, 2018
@sixcorners
Copy link
Author

wikipedia2.sixcorners.info now has a working dnslink.
https://wikipedia2.sixcorners.info/ipfs/QmS4ustL54uo8FzR9455qaxZwuMiUhyvMcX9Ba8nUH4uVv/
That URL doesn't come back.

ipfs resolve -r /ipns/wikipedia2.sixcorners.info/ipfs/QmS4ustL54uo8FzR9455qaxZwuMiUhyvMcX9Ba8nUH4uVv/: file does not exist

It looks like when dnslink is set on the domain the gateway will only serve traffic to stuff the dnslink points to. #3902 and #4788 are issues that ask for ways to get around this behavior. I think it kind of makes sense. If you want to host an application that is served from your own ipfs gateway you might not want arbitrary resources to be served from your domain. I guess that's not something that can be relied on?

Any chance we can set the path prefix to look something like /ipns/*.sixcorners.info ?

@Stebalien Stebalien added kind/bug A bug in existing code (including security flaws) and removed kind/support A question or request for support labels Apr 25, 2018
Stebalien added a commit that referenced this issue Apr 25, 2018
@Stebalien
only resolve dnslinks once in the gateway
81ffb14 
If the domain has a DNS-Link, we want to use it even if it points to, e.g., an
IPNS address that doesn't resolve.

fixes #4973

License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
@Stebalien Stebalien mentioned this issue Apr 25, 2018
Merged
@ghost ghost assigned Stebalien Apr 25, 2018
@ghost ghost added the status/in-progress In progress label Apr 25, 2018
@Stebalien
Copy link
Member

Stebalien commented Apr 25, 2018
edited
Loading

That URL doesn't come back.

Huh. I guess I was wrong. I thought this was a feature of our gateways, not the IPFS gateway in general (I thought we did this with a reverse proxy).

But now I see the issue. Sorry, I misinterpreted your initial post. The issue here is that, when /ipns/QmdJiuMWp2FxyaerfLrtdLF6Nr1EWpL7dPAxA9oKSPYYgV stopped resolving, your gateway started resolving other paths, right? Yeah, that's definitely a bug. Fix: #4977

Stebalien added a commit that referenced this issue Apr 25, 2018
@Stebalien
only resolve dnslinks once in the gateway
681d59b 
If the domain has a DNS-Link, we want to use it even if it points to, e.g., an
IPNS address that doesn't resolve.

fixes #4973

License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
Stebalien added a commit that referenced this issue Jun 3, 2018
@Stebalien
only resolve dnslinks once in the gateway
31bb974 
If the domain has a DNS-Link, we want to use it even if it points to, e.g., an
IPNS address that doesn't resolve.

fixes #4973

License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
@ghost ghost removed the status/in-progress In progress label Jun 3, 2018
djdv pushed a commit that referenced this issue Jun 27, 2018
@Stebalien @djdv
only resolve dnslinks once in the gateway
84fb35f 
If the domain has a DNS-Link, we want to use it even if it points to, e.g., an
IPNS address that doesn't resolve.

fixes #4973

License: MIT
Signed-off-by: Steven Allen <steven@stebalien.com>
@ntninja ntninja mentioned this issue Jul 29, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Stebalien Stebalien

Labels
kind/bug A bug in existing code (including security flaws)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

only resolve dnslinks once in the gateway ipfs/kubo
2 participants
@Stebalien @sixcorners