Dns Cache Poisoning in Actix with Hmac Signatures

DNS Cache Poisoning can occur in Actix-based services that use HMAC Signatures for request authentication when the signature does not cover the full request context, such as the target hostname or the resolved remote endpoint. If an Actix application builds an HMAC over parts of the request (e.g., method, path, selected headers) but omits the hostname or the resolved IP, an attacker who can influence DNS resolution may redirect the request to a malicious server while keeping the signature valid. This can enable request smuggling, authorization bypass, or data exfiltration when the client trusts the host implicitly after signature verification.

Consider an Actix web service that calls a downstream API and signs requests using a shared secret. The client resolves a hostname (e.g., api.example.com) to an IP and includes a timestamp and method in the HMAC. If the DNS response is poisoned and the hostname resolves to an attacker-controlled IP, the client may still compute the same HMAC because the signature does not include the resolved IP or hostname. The attacker can then present a crafted response that the client accepts as legitimate, effectively bypassing trust in the origin server.

In a black-box scan using middleBrick, such issues are surfaced under BOLA/IDOR and Input Validation checks, especially when request parameters or host resolution are not validated against the signed context. The scanner tests whether the application reconciles the expected host or endpoint with the runtime request and whether the HMAC scope aligns with the data that can be influenced by an attacker. Findings include a breakdown of the signed fields, observed mismatches between resolved endpoints and signed host headers, and evidence of unvalidated redirects or forwarded requests that rely on DNS resolution.

For LLM/AI Security, note that DNS poisoning does not directly affect system prompt leakage or prompt injection, but an attacker may combine a poisoned DNS vector with other techniques to manipulate backend calls that feed into LLM endpoints. middleBrick’s LLM/AI Security checks do not test DNS poisoning; they focus on prompt injection, jailbreaks, and output scanning. To detect DNS-related logic flaws, rely on the BOLA/IDOR and Input Validation checks and review how the application binds identities to network endpoints.

To assess this using middleBrick, you can scan the API endpoint with the CLI: middlebrick scan https://api.example.com. The scan will report findings related to authentication, authorization, and input validation, highlighting whether the HMAC scope includes the hostname or IP and whether DNS resolution is validated. The Web Dashboard and GitHub Action allow you to track these findings over time and fail builds if risk scores degrade.

Remediation centers on ensuring the HMAC scope includes the hostname or canonicalized target and validating the resolved endpoint against the signed context. Below are concrete Actix examples that demonstrate a safer approach.

Example 1: Signing the method, path, and hostname

Include the hostname and the request path in the HMAC input. Use a canonical representation (e.g., lowercase host, normalized path) to avoid discrepancies due to case or encoding differences.

use hmac::{Hmac, Mac};
use sha2::Sha256;
use actix_web::{web, HttpResponse, HttpRequest};
use std::collections::HashMap;

type HmacSha256 = Hmac<Sha256>;

fn build_signature(secret: &[u8], method: &str, host: &str, path: &str, timestamp: &str) -> String {
    let mut mac = HmacSha256::new_from_slice(secret).expect("HMAC can take key of any size");
    mac.update(method.as_bytes());
    mac.update(b"|");
    mac.update(host.to_lowercase().as_bytes());
    mac.update(b"|");
    mac.update(path.as_bytes());
    mac.update(b"|");
    mac.update(timestamp.as_bytes());
    let result = mac.finalize();
    let code = result.into_bytes();
    hex::encode(code)
}

This function ensures the hostname is part of the signed payload. When forwarding or validating a request, compare the resolved hostname with the signed hostname to detect tampering.

Example 2: Validating the resolved host before use in Actix middleware

In an Actix middleware or guard, resolve the target hostname and compare it to the signed hostname. Reject the request if they do not match.

use actix_web::{dev::ServiceRequest, Error};
use trust_dns_resolver::Resolver;
use trust_dns_resolver::config::{ResolverConfig, ResolverOpts};

async fn validate_host(req: ServiceRequest) -> Result<ServiceRequest, Error> {
    let host_header = req.headers().get("x-target-host").ok_or_else(|| actix_web::error::ErrorBadRequest("missing host header"))?;
    let host = host_header.to_str().map_err(|_| actix_web::error::ErrorBadRequest("invalid host header"))?;

    let resolver = Resolver::new(ResolverConfig::default(), ResolverOpts::default()).map_err(|_| actix_web::error::ErrorInternalServerError("resolver init failed"))?;
    let addrs = resolver.lookup_ip(host).map_err(|_| actix_web::error::ErrorBadRequest("host resolution failed"))?;
    let canonical_ip = addrs.iter().next().ok_or_else(|| actix_web::error::ErrorBadRequest("no addresses found"))?;

    // Here you would also verify that the IP matches an allowlist or the expected endpoint.
    // For example, ensure canonical_ip is within a known range or matches pinned DNS.
    // If validation fails, return an error to prevent forwarding to a poisoned endpoint.

    Ok(req)
}

This validation reduces the risk that a poisoned DNS response leads the client to forward requests to an attacker-controlled IP. Combine this with HMAC checks that include the hostname to ensure consistency between the DNS resolution and the signed context.

middleBrick’s scans can surface weaknesses in how hostnames and IPs are handled in authenticated requests. The CLI and Web Dashboard provide prioritized findings and remediation guidance, helping you tighten request integrity. The Pro plan adds continuous monitoring so future configuration or dependency changes that affect HMAC scope or DNS handling can be flagged promptly.