Dangling Dns in Actix with Api Keys

A dangling DNS configuration in an Actix web service becomes high risk when API keys are used for authentication but are not tied to strict network and transport controls. In this combination, the service may resolve a hostname to an IP that changes over time or to an internal address, while the API key is presented on every request. Because Actix routes requests based on patterns and can forward calls to upstream hosts, a stale or unpredictable DNS entry can cause the key to be sent to an unintended endpoint.

During a black-box scan, middleBrick tests unauthenticated attack surfaces by providing only a URL. If the target uses API keys in headers and relies on a hostname that can resolve to different destinations, the scan can observe that responses differ based on DNS state, indicating that the service does not enforce endpoint consistency. An attacker who can influence DNS (e.g., via compromised resolver, cache poisoning, or malicious internal network) may steer traffic to a server they control. Because the API key is static in headers, the attacker can capture it and replay it to a malicious host if TLS validation is weak or if the service skips hostname verification.

In the context of the 12 security checks run by middleBrick, this scenario is flagged under BOLA/IDOR and Data Exposure categories. The scanner cross-references OpenAPI/Swagger definitions with runtime behavior: if the spec defines a server variable that includes a hostname and the runtime resolves that hostname inconsistently, the tool reports a finding. Because API keys are bearer tokens, any leakage or misrouting can lead to unauthorized access across microservices that share the same key scope. The presence of API keys does not inherently prevent SSRF or redirect-based confusion; in fact, keys can make repeated abuse easier once obtained.

Real-world patterns observed in scans include services that use environment-driven DNS names (e.g., db-internal.example.com) which resolve differently in development, CI, and production. If an Actix app does not validate the certificate hostname or does not pin the expected resolved address, a dangling DNS entry can result in the API key being sent to a rogue service. This aligns with known attack patterns such as request smuggling and server-side request forgery, where the client trusts DNS rather than enforcing strict endpoint identity.

middleBrick flags these issues with severity and remediation guidance, emphasizing that DNS stability and strict host verification must be designed alongside authentication mechanisms like API keys. The scanner does not fix the configuration but highlights the need to validate hostnames, avoid reliance on mutable DNS, and ensure that key usage is scoped to verified endpoints.

To reduce risk, treat API keys as bearer tokens that must be protected against misrouting. In Actix, enforce strict hostname verification and avoid dynamic DNS for key-protected routes. Use Rust’s type system and middleware to validate targets before issuing requests with keys.

Example: a safe Actix client wrapper that validates the host against an allowlist and uses HTTPS with certificate pinning. This ensures that even if DNS changes, the request fails unless the endpoint is explicitly permitted.

use actix_web::{web, App, HttpResponse, HttpServer, Responder};
use reqwest::Client;
use std::collections::HashSet;

async fn call_upstream(api_key: &str) -> Result {
    // Define allowed hosts to prevent dangling DNS redirects
    let allowed_hosts: HashSet<&str> = ["api.vendor.com"].iter().cloned().collect();
    let url = "https://api.vendor.com/v1/resource";
    let host = url
        .strip_prefix("https://")
        .or_else(|| url.strip_prefix("http://"))
        .unwrap_or(url);
    let host = host.split('/').next().unwrap_or(host);

    if !allowed_hosts.contains(host) {
        return Ok(HttpResponse::BadRequest().body("Host not allowed"));
    }

    let client = Client::new();
    let response = client
        .get(url)
        .bearer_auth(api_key)
        .send()
        .await?;
    Ok(response)
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(move || {
        App::new()
            .route("/proxy", web::get().to(|api_key: web::Query| async move {
                match call_upstream(&api_key.key).await {
                    Ok(resp) => resp,
                    Err(_) => HttpResponse::ServiceUnavailable().finish(),
                }
            }))
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

#[derive(serde::Deserialize)]
struct ApiKey {
    key: String,
}

This example demonstrates explicit host validation before using the API key. In production, you should also enable TLS with certificate pinning via reqwest’sdanger_accept_invalid_certs and danger_accept_invalid_hosts settings only for testing; in production, rely on public CA validation and hostname checks.

Additionally, rotate API keys regularly and scope them to specific endpoints and permissions. In the dashboard, track scans over time to detect new dangling DNS findings. The CLI can be used in scripts: middlebrick scan https://your-service.example.com. For CI/CD, add the GitHub Action to fail builds if a scan reports unresolved host risks. Within the MCP Server, scan APIs directly from your IDE to catch configuration drift early.