We have a security vulnerability that is rather long in the tooth (not yet public) that depends, in part, on our DNS resolver’s willingness to attempt to resolve arbitrary garbage strings, including strings that could not ever be valid hostnames. I propose to remove support for such requests in our DNS resolution code, and attempt only to resolve legal hostnames (“preferred name syntax”). Additionally, I propose we accept underscores (_) in names. (See the measurement CL.)

Motivation

Reduce exposure to bugs.

Documentation

Status in Chromium

Internals>Network>DNS


Removed (tracking bug) in:

  • Chrome for desktop release 69
  • Chrome for Android release 69
  • Android WebView release 69

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owner

Comments

This removal shipped in Chrome 69. The CL was https://chromium-review.googlesource.com/c/chromium/src/+/569298.

Last updated on 2020-11-09