HIGH dangling dnsfastapipython

Dangling Dns in Fastapi (Python)

Scan for dangling dns in fastapi

Dangling DNS in FastAPI with Python

Dangling DNS occurs when an API endpoint references a hostname that cannot be resolved to an IP address at runtime. In FastAPI applications built with Python, this typically manifests when:

  • Internal service discovery uses hostnames that are only valid in certain environments
  • Third-party microservices are invoked via hardcoded hostnames that may not exist in all deployment stages
  • Configuration-driven endpoints use DNS names that resolve differently across dev, staging, and production

This creates an unvalidated external resource dependency that attackers can exploit through:

  1. DNS spoofing attacks where malicious actors register unclaimed hostnames
  2. Hostname enumeration to discover internal service boundaries
  3. Cache poisoning to redirect requests to unauthorized endpoints

FastAPI's async nature amplifies the risk because asynchronous HTTP clients often resolve hostnames lazily, potentially exposing race conditions where an attacker registers a hostname between resolution checks.

Real-world example: A FastAPI endpoint that calls an external analytics service using a hostname configured via environment variable:

import os
from httpx import AsyncClient

async def get_analytics():
    analytics_host = os.getenv("ANALYTICS_HOST", "analytics.internal")
    async with AsyncClient() as client:
        response = await client.get(f"http://{analytics_host}/track")
        return response.text

If analytics.internal is never registered in DNS, the endpoint becomes dangling. During scanning, middleBrick detects this by sending HTTP requests to the resolved hostname and observing resolution failures or timeout patterns.

This vulnerability maps to OWASP API Top 10 category B01:2023 - Broken Object Level Authorization when the dangling endpoint is used for privilege escalation, or B08:2023 - Software and Data Integrity Failures when the hostname resolution introduces supply chain risks.

Detection through middleBrick's DNS resolution testing identifies:

  • Unresolved hostnames during active scanning
  • Timeout patterns consistent with non-existent domains
  • Inconsistent resolution across scan iterations
  • Hardcoded hostnames without fallback validation

Remediation requires explicit hostname validation and environment-aware configuration management, which we detail in the next section.

Python-Specific Remediation in FastAPI

Remediation must address both DNS validation and environment-specific configuration handling. The following Python code demonstrates a secure implementation pattern:

import os
import asyncio
from typing import Optional
from httpx import AsyncClient, ConnectTimeout

# Secure hostname resolution with validation
ALLOWED_HOSTS = {
    "analytics": {"env": "production", "required": True},
    "staging-analytics": {"env": "staging", "required": False},
    "local-analytics": {"env": "development", "required": False}
}

async def get_secure_endpoint():
    # Get hostname from secure configuration, not direct env var
    env = os.getenv("APP_ENV", "development")
    config = ALLOWED_HOSTS.get("analytics", {})
    
    # Validate hostname exists in allowed list
    hostname = os.getenv("ANALYTICS_HOST")
    if not hostname or hostname not in ALLOWED_HOSTS:
        # Fallback to safe default or raise error
        raise ValueError(f"Invalid analytics hostname for environment: {env}")
    
    # Validate environment context
    if config["env"] != env and config["required"]:
        raise RuntimeError(f"Analytics service not available in {env} environment")
    
    # Perform DNS resolution with timeout
    try:
        loop = asyncio.get_event_loop()
        resolved = await loop.getaddrinfo(hostname, None, timeout=5.0)
        resolved_host = resolved[0][4][0]
    except (asyncio.TimeoutError, socket.gaierror):
        raise ConnectionError(f"DNS resolution failed for {hostname}")
    
    # Proceed with validated hostname
    async with AsyncClient(timeout=10.0) as client:
        response = await client.get(f"http://{resolved_host}/track")
        return response.text

if __name__ == "__main__":
    import asyncio
    asyncio.run(get_secure_endpoint())

Key improvements over vulnerable patterns:

  • Explicit hostname whitelisting: Only allows predefined hostnames based on environment
  • Context-aware validation: Checks that hostname matches expected environment
  • Explicit DNS resolution with timeout: Uses async DNS resolution with explicit timeout handling
  • Error handling: Fails fast with descriptive errors instead of proceeding with invalid hostnames

For production systems, combine this with:

  1. Configuration management that separates environment-specific hostnames
  2. Health checks that verify DNS resolution during startup
  3. Service mesh integration that abstracts service discovery

This approach prevents attackers from exploiting unclaimed DNS entries while maintaining FastAPI's async performance characteristics.

Scan for dangling dns in fastapi Free API security scan

Frequently Asked Questions

How does FastAPI's async architecture affect DNS resolution vulnerabilities?
FastAPI's async nature means HTTP clients like httpx perform non-blocking DNS resolution. This can create race conditions where an attacker registers a hostname between resolution checks, making dangling DNS vulnerabilities more exploitable in asynchronous environments compared to synchronous frameworks.
What OWASP category does dangling DNS in FastAPI APIs fall under?
Dangling DNS primarily maps to OWASP API Top 10 B08:2023 - Software and Data Integrity Failures when it involves unauthorized external resource invocation, and may also relate to B01:2023 - Broken Object Level Authorization if used for privilege escalation through service discovery.

Related Pages

Dangling Dns in FastapiLearn how Dangling DNS vulnerabilities manifest in FastAPI apps, how to detect them with tools like middleBrick, and howCWE-1104 in Fastapi (Python)CWE-1104 in FastAPI with Python: causes and remediation with code examples.CWE-116 in Fastapi (Python)CWE-116 in FastAPI with Python: causes, secure subprocess patterns, validation, and remediation guidance.CWE-113 in Fastapi (Python)CWE-113 in FastAPI with Python: causes, Python-specific fixes, and secure code examples for preventing HTTP response splCWE-1039 in Fastapi (Python)CWE-1039 in FastAPI with Python: causes and Python-specific fixes with explicit Pydantic models and safe exception handlPci Dss: Dangling Dns in FastapiExplore how dangling DNS records intersect with PCI DSS in FastAPI apps. See concrete remediation code examples and how Soc2: Dangling Dns in FastapiExplore how SOC 2 controls intersect with dangling DNS in FastAPI apps. Learn remediation patterns and use middleBrick CIso 27001: Dangling Dns in FastapiExplore ISO 27001 considerations for dangling DNS with FastAPI, including real remediation code and how middleBrick scanCis: Dangling Dns in FastapiExplore CIS misconfigurations from dangling DNS in FastAPI apps, with remediation code examples and how MiddleBrick deteDangling Dns in Fastapi with Api KeysExplore how dangling DNS records combined with API key usage in FastAPI can expose security risks. Learn remediation patDangling Dns in Fastapi with Hmac SignaturesDangling DNS risks in FastAPI with HMAC signatures and remediation code examplesDangling Dns in Fastapi with Basic AuthExplore how dangling DNS combined with FastAPI and Basic Auth can expose endpoints, and apply concrete Basic Auth remedi