Dangling Dns in Feathersjs with Dynamodb

A dangling DNS entry occurs when a domain name still resolves to an infrastructure endpoint that no longer hosts the intended service. In a FeathersJS application using Amazon DynamoDB, this typically arises during environment changes such as account migrations, service deletions, or re‑provisioning of backend resources. If DNS is updated before all references in the application and its runtime configuration are updated, the FeathersJS service may continue to resolve the old DNS name to an IP address that now belongs to a different owner or an unmanaged environment.

With DynamoDB, this can expose data or allow unintended operations if the dangling DNS name points to a similarly named but misconfigured table in another AWS account or region. For example, a table named orders in one AWS account might, after decommissioning, have its DNS record pointing to a residual endpoint that resolves to a different orders table in another account. FeathersJS services that load table names from environment variables or configuration files without runtime validation will then issue requests to the incorrect endpoint, potentially accessing or mutating data that should be isolated.

The combination of FeathersJS dynamic service registration and DynamoDB endpoint resolution increases the risk because FeathersJS can instantiate multiple service classes that rely on external table references. If a service definition uses a DNS-based endpoint (for example, via a custom AWS SDK configuration that resolves a hostname rather than using explicit AWS SDK region and account routing), and that DNS record becomes dangling, the service may unknowingly route requests to an external table. This violates logical isolation boundaries and can lead to data exposure or unauthorized modification, which middleBrick’s BOLA/IDOR and Data Exposure checks are designed to detect.

During a scan, middleBrick tests unauthenticated attack surfaces and can identify indicators of such misconfigurations by correlating API behavior with expected access patterns. If a FeathersJS endpoint configured for DynamoDB returns data from an unexpected table or exhibits inconsistent authorization boundaries, middleBrick flags related findings under Data Exposure and BOLA/IDOR, providing remediation guidance to enforce explicit table references and validate DNS and endpoint configurations before deployment.

To prevent issues related to dangling DNS and incorrect table references in FeathersJS with DynamoDB, use explicit configuration and validation rather than relying on DNS-based or environment-derived endpoint resolution. The following examples demonstrate secure patterns for defining DynamoDB services in FeathersJS.

First, hardcode the AWS region and use the AWS SDK’s default credential chain with explicit table names. Avoid constructing table names from mutable environment variables that could be overridden by an attacker or during deployments.

const { DynamoDB } = require('aws-sdk');
const feathers = require('@feathersjs/feathers');
const rest = require('@feathersjs/rest');

const app = feathers();
app.configure(rest());

// Explicit region and table name
const ddb = new DynamoDB({
  region: 'us-east-1',
  // Use AWS SDK default credential resolution; do not inject credentials via DNS or custom endpoints
});

const tableName = 'prod-orders';

app.use('/orders', {
  async find(params) {
    const { Query } = ddb;
    const paramsQuery = {
      TableName: tableName,
      KeyConditionExpression: 'userId = :uid',
      ExpressionAttributeValues: {
        ':uid': { S: params.query.userId }
      }
    };
    const data = await Query(paramsQuery).promise();
    return data.Items;
  },
  async get(id, params) {
    const { GetItem } = ddb;
    const paramsGet = {
      TableName: tableName,
      Key: {
        id: { S: id }
      }
    };
    const data = await GetItem(paramsGet).promise();
    return data.Item;
  },
  // Create, update, patch, remove omitted for brevity
});

This approach ensures that the table referenced is constant and not subject to DNS or environment variable manipulation that could introduce a dangling reference. By specifying the region explicitly, you avoid reliance on DNS records that may resolve unpredictably.

Second, implement validation at service initialization to confirm that the intended table exists and is accessible, and reject requests if the table name does not match an allowlist. This prevents accidental interaction with a table that may have been re‑provisioned under the same DNS name.

const allowedTables = new Set(['prod-users', 'prod-orders', 'prod-inventory']);

function validateTableName(name) {
  if (!allowedTables.has(name)) {
    throw new Error(`Table ${name} is not authorized`);
  }
}

// Usage in service setup
validateTableName(tableName);

Finally, prefer AWS SDK v3 modular clients with explicit middleware to enforce region and endpoint consistency. This reduces the risk of runtime configuration drift that can lead to interactions with unintended endpoints.

const { DynamoDB } = require('@aws-sdk/client-dynamodb');
const { defaultProvider } = require('@aws-sdk/credential-provider-node');

const client = new DynamoDB({
  region: 'eu-west-1',
  credentials: defaultProvider()
});

// Use client in service adapters with hardcoded table names

These practices align with middleBrick’s findings by ensuring that authentication, BOLA/IDOR, and Data Exposure checks pass, as the service no longer depends on mutable DNS or environment-derived endpoints that can become dangling.