Dns Cache Poisoning in Feathersjs with Cockroachdb

DNS cache poisoning (also known as DNS spoofing) occurs when an attacker injects forged DNS responses, causing a resolver to return an incorrect IP address for a domain. In a FeathersJS application that connects to CockroachDB, this attack surface exists at the network and client-driver level rather than in application business logic.

When FeathersJS services use a DNS-dependent connection string (for example, a hostname that resolves to multiple CockroachDB nodes via a load balancer or service discovery mechanism), the client driver may cache the resolved IP. If the cache is poisoned to point to a malicious host, all subsequent database traffic—including authentication credentials, session tokens, and query results—can be redirected. This is especially relevant when the FeathersJS app runs in environments that do not enforce DNSSEC or use hardened resolvers, allowing an attacker on the same network or path to spoof responses.

The exposure is compounded when FeathersJS services rely on unencrypted database connections or improperly configured TLS settings. CockroachDB drivers typically perform hostname verification against the TLS certificate; if the certificate matches the poisoned hostname, the client may accept a malicious connection, leading to potential data interception or manipulation. Even when TLS is used, if the initial resolution is compromised, the client may establish a secure channel with an attacker-controlled endpoint that presents a valid cert for the poisoned name.

Additionally, FeathersJS hooks and custom transports that perform supplementary lookups—such as resolving service locations or validating authorization endpoints—can inadvertently use the same compromised DNS context. Because the framework does not inherently enforce source-side DNS validation, developers must ensure that connection parameters use IP literals or tightly controlled network policies to reduce reliance on DNS-based routing.

To mitigate DNS cache poisoning risks when connecting FeathersJS to CockroachDB, prefer direct IP connections or tightly controlled network configurations, and enforce strict TLS validation. The following examples demonstrate secure connection practices.

1. Use IP literals instead of hostnames

Replace DNS-dependent connection strings with explicit IP addresses and ports. This removes reliance on external resolution entirely.

// config/default.json
{
  "cockroachdb": {
    "host": "10.0.1.10",
    "port": 26257,
    "database": "app_db",
    "ssl": {
      "rejectUnauthorized": true,
      "ca": "/path/to/ca.pem"
    }
  }
}

2. Enforce TLS with strict hostname verification (if hostnames are required)

If hostnames must be used (e.g., in dynamic cloud environments), ensure the driver validates the certificate against the expected identity and disable fallback to unencrypted connections.

// src/app.js
const feathers = require('@feathersjs/feathers');
const sequelize = require('@feathersjs/sequelize');
const { Sequelize } = require('sequelize');

const app = feathers();

app.configure(sequelize({
  dialect: 'postgres',
  protocol: 'postgresql',
  port: 26257,
  database: process.env.DB_NAME,
  host: process.env.DB_HOST, // Ensure this resolves to a controlled DNS record
  logging: false,
  ssl: {
    rejectUnauthorized: true,
    ca: process.env.CA_CERT,
    checkServerIdentity: (host, cert) => {
      // Explicit hostname check
      if (cert.subjectaltname && !cert.subjectaltname.includes(host)) {
        throw new Error('Certificate hostname mismatch');
      }
      return undefined; // indicates success
    }
  }
}));

3. Configure the underlying driver to disable caching (where supported)

Some CockroachDB drivers expose connection parameters to limit DNS caching behavior. Use these options to reduce the window of poisoned cache entries.

// src/app.js — using node-postgres based CockroachDB driver
const { Sequelize } = require('sequelize');

const sequelize = new Sequelize({
  dialect: 'cockroachdb',
  protocol: 'postgres',
  host: 'mycluster-public-svc..svc.cluster.local',
  port: 26257,
  database: 'app_db',
  query: {
    // Example for drivers that support query-level options
    options: {
      preferQuery: 'simple'
    }
  },
  // If the dialect supports it, disable DNS caching hints
  ssl: {
    rejectUnauthorized: true
  },
  // Use a short TTL for any internal resolver if applicable
  define: {
    timestamps: true
  }
});

4. Network-level controls and runtime validation

Complement code changes with runtime practices: restrict outbound DNS to trusted resolvers, enable DNS-over-HTTPS (DoH) at the host level, and use service meshes or network policies to limit exposure to unexpected IPs. In CI/CD, integrate the middleBrick CLI to validate that your endpoints do not rely on insecure patterns by running middlebrick scan <url> against staging environments.

5. Monitoring and detection

Use the middleBrick dashboard to track security scores over time and configure alerts via the Pro plan for continuous monitoring. This helps detect configuration drift that could reintroduce DNS dependency risks.