Dns Cache Poisoning in Actix with Mutual Tls

DNS cache poisoning (also known as DNS spoofing) occurs when an attacker injects a malicious DNS response into a resolver’s cache, causing a victim to be directed to an attacker-controlled IP. In Actix web applications that use mutual TLS (mTLS), the risk surface changes but does not disappear. mTLS ensures both client and server present valid certificates, which protects the transport between the client and the server. However, mTLS does not prevent the server itself from making vulnerable outbound DNS queries during service discovery, configuration lookups, or when the server acts as a resolver for downstream services.

If an Actix service uses hostnames for internal service discovery (e.g., db-internal.prod.svc) and those names are resolved via a DNS client that does not implement DNSSEC validation or use DNS-over-HTTPS/TLS, an attacker on the network path or compromising a DNS server can poison the cache. The compromised hostname then maps to an attacker IP, and the Actix application will establish connections (or accept connections in server roles) based on the poisoned resolution. With mTLS in place, the server may still present a valid certificate to the client, but that certificate will not match the hostname the application intended to connect to, leading to failed verification if the client enforces hostname checks. However, if the Actix client code does not strictly validate the server hostname against the certificate, or if the poisoned record leads to a different backend that the attacker controls, the integrity of the communication channel can be undermined.

Crucially, mTLS protects confidentiality and server authentication from the client’s perspective, but it does not inherently protect the server’s own DNS resolution logic. An Actix application that performs DNS lookups using standard system libraries or third-party crates without strict validation may cache poisoned records. This can redirect internal service calls to malicious endpoints, bypassing network-level segregation. The combination of mTLS and DNS cache poisoning highlights that transport security does not equate to name resolution integrity. Attack patterns such as CVE-2020-27805 (ISC BIND vulnerabilities) and techniques targeting resolver caches remain relevant when applications perform custom DNS handling.

For an Actix application, the risk is elevated if it runs in environments where DNS traffic is not authenticated (e.g., plain UDP to a recursive resolver), lacks DNSSEC, or uses short TTLs that cause frequent re-resolution, increasing exposure windows. MiddleBrick’s scans detect unauthenticated endpoints and identify missing transport hardening; while mTLS is a strong control, it must be complemented with DNS-level mitigations to prevent poisoned resolution from undermining the security model.

To mitigate DNS cache poisoning in Actix while using mutual TLS, focus on preventing the server from trusting poisoned DNS results and ensuring that name resolution is performed securely. Below are concrete remediation steps with code examples.

• Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) for all outbound resolution: Replace system DNS lookups with a resolver that supports encrypted and authenticated DNS. In Rust, the trust-dns-resolver crate can be configured to use DoH, which reduces the risk of cache poisoning.

use trust_dns_resolver::Resolver;
use trust_dns_resolver::config::{ResolverConfig, ResolverOpts, Protocol, IpStrategy};

fn create_secure_resolver() -> Result> {
    let mut config = ResolverConfig::new();
    // Use Cloudflare DoH as an example; ensure the endpoint is reachable.
    config.insert_doh_server("https://cloudflare-dns.com/dns-query".parse()?, trust_dns_resolver::config::Protocol::Https);
    let opts = ResolverOpts {
        ip_strategy: IpStrategy::Ipv4AndIpv6,
        validate: true,
        ..ResolverOpts::default()
    };
    let resolver = Resolver::new(config, opts)?;
    Ok(resolver)
}

async fn resolve_service_name(name: &str) -> Result> {
    let resolver = create_secure_resolver()?;
    let response = resolver.lookup_ip(name).await?;
    // Prefer the first address; in production, apply policy (e.g., prefer IPv4 or IPv6).
    Ok(response.iter().next().ok_or("No IPs found")?)
}

• Validate server identity beyond certificates: Even with mTLS, ensure that the hostname used for connection matches the certificate’s subject alternative names. In Actix clients, prefer using HTTPS connectors that enforce hostname verification.

use actix_web::web::Client;
use actix_web::client::Connector;
use native_tls::TlsConnector;
use std::sync::Arc;

fn build_verified_client() -> Client {
    // Enforce hostname verification via native-tls.
    let tls = TlsConnector::builder()
        .danger_accept_invalid_hostnames(false)
        .danger_accept_invalid_certs(false)
        .build()
        .expect("Failed to build TLS connector");
    let connector = Connector::new()
        .tls(Arc::new(tls));
    Client::build()
        .connector(connector)
        .finish()
}

• Restrict DNS TTLs and implement negative caching: Configure your resolver to respect TTLs and avoid indefinite caching of records. For internal services, consider using a service mesh or a configuration store instead of raw DNS where possible.

These practices reduce the likelihood that an Actix service will act on poisoned DNS data, ensuring that mTLS protections are not undermined at the name resolution layer.