Dns Cache Poisoning in Gorilla Mux

DNS cache poisoning (or DNS spoofing) corrupts a DNS resolver's cache with falsified records, redirecting traffic intended for a legitimate domain to a malicious IP address. In Go applications using Gorilla Mux, this vulnerability often emerges from two specific patterns: dynamic upstream routing and unvalidated redirects.

1. Dynamic Upstream Routing via Hostname Variables
Gorilla Mux's powerful route variables (e.g., {hostname}) are frequently used to build reverse proxies or API gateways that forward requests to backend services. If an application constructs an upstream URL directly from user-controlled path or query parameters without validating the resolved IP address, an attacker who poisons the DNS cache for a target domain can redirect internal API traffic to their own server.

// VULNERABLE: Dynamic upstream from user input
router.HandleFunc("/proxy/{hostname}/{path:.*}", func(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    targetHost := vars["hostname"] // e.g., "internal-service"
    // Attacker poisons DNS for "internal-service" → malicious IP
    upstream := fmt.Sprintf("http://%s/%s", targetHost, vars["path"])
    // Request is now sent to attacker's server
    http.ServeHTTP(w, r, &roundtripper{url: upstream})
})

2. Open Redirects Leading to Spoofed Domains
Gorilla Mux routes that perform redirects (http.Redirect) using unvalidated user input can facilitate DNS poisoning attacks at scale. If an attacker crafts a URL like /redirect?url=https://legit-api.com/login and the DNS for legit-api.com is poisoned, users are silently redirected to a phishing site that looks identical.

// VULNERABLE: Open redirect using query parameter
router.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
    redirectURL := r.URL.Query().Get("url")
    // No validation of redirectURL's hostname
    http.Redirect(w, r, redirectURL, http.StatusFound)
})

3. SSRF via Hostname Resolution
When Gorilla Mux handlers make outbound HTTP requests (e.g., to fetch data from a third-party API) and use a hostname derived from the request, DNS cache poisoning can turn this into an SSRF vector. The application unknowingly contacts an attacker-controlled internal service.

// VULNERABLE: SSRF through user-supplied hostname
router.HandleFunc("/fetch", func(w http.ResponseWriter, r *http.Request) {
    apiHost := r.FormValue("api_host") // e.g., "metadata.google.internal"
    // Poisoned DNS resolves to 10.0.0.5 (attacker's server)
    resp, _ := http.Get("https://" + apiHost + "/data")
    // Leaks data to attacker's server
})

middleBrick's black-box scanner identifies DNS cache poisoning risks in Gorilla Mux applications by testing for hostname validation bypasses and redirect manipulation. The scanner submits crafted requests to your API endpoint and analyzes the responses for evidence of unsafe host handling.

Detection Patterns:

• Dynamic Host Parameter Probing: The scanner injects special hostnames (e.g., attacker-controlled.example) into route variables and monitors whether the application makes outbound requests to unexpected IP ranges. A positive signal indicates that user input influences DNS resolution without validation.
• Redirect Chain Analysis: middleBrick follows redirects and inspects the Location header. If a redirect points to a domain that resolves to a private IP (e.g., 127.0.0.1, 10.0.0.0/8) or a known malicious domain, it flags an open redirect that could be exploited via DNS poisoning.
• SSRF via Hostname Injection: The scanner attempts to fetch metadata services (e.g., http://169.254.169.254/latest/meta-data/) by seeding hostname parameters with internal service names. If the application returns cloud metadata or internal network data, it confirms an SSRF vulnerability exploitable through DNS manipulation.

Example middleBrick CLI Output:

$ middlebrick scan https://api.gorillamux-example.com
[...]
Finding: SSRF via Hostname Parameter (HIGH)
Endpoint: GET /fetch
Parameter: api_host
Payload: metadata.google.internal
Evidence: Response contains AWS IAM role data
Remediation: Validate hostnames against an allowlist; use IP-based egress rules.

The scanner also cross-references your OpenAPI/Swagger specification (if available) to identify routes with path parameters like {host} or {domain} that lack pattern constraints, correlating these with runtime behavior to prioritize findings.

Remediation focuses on strict hostname validation, allowlisting, and separation of concerns using Gorilla Mux's features and Go's standard library.

1. Validate Hostnames with a Strict Allowlist
Never trust user-supplied hostnames. Define an explicit allowlist of permitted upstream domains and validate all dynamic host parameters against it.

var allowedHosts = map[string]bool{
    "api.service.com": true,
    "backend.internal": true,
}

func validateHost(host string) bool {
    // Normalize: remove port, lowercase
    h, _, _ := net.SplitHostPort(host)
    if h == "" { h = host }
    return allowedHosts[strings.ToLower(h)]
}

router.HandleFunc("/proxy/{hostname}/{path:.*}", func(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    if !validateHost(vars["hostname"]) {
        http.Error(w, "Invalid host", http.StatusBadRequest)
        return
    }
    // Safe to use
    upstream := fmt.Sprintf("https://%s/%s", vars["hostname"], vars["path"])
    // ...
})

2. Use IP-Based Routing for Internal Services
For internal service-to-service communication, avoid DNS entirely. Store upstream endpoints as IP addresses (or use Kubernetes service DNS with network policies) and resolve them at startup.

// Startup: Resolve once, store IPs
var backendIP = net.ParseIP("10.0.1.15") // Fixed IP for backend.internal

router.HandleFunc("/internal/{path:.*}", func(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    upstream := fmt.Sprintf("http://%s/%s", backendIP.String(), vars["path"])
    // No DNS lookup at request time
    http.ServeHTTP(w, r, &roundtripper{url: upstream})
})

3. Prevent Open Redirects with URL Parsing
When handling redirects, parse the URL and enforce that the host matches your application's domain or an explicit allowlist.

func safeRedirect(w http.ResponseWriter, r *http.Request, target string) {
    u, err := url.Parse(target)
    if err != nil || u.Host == "" {
        http.Error(w, "Invalid URL", http.StatusBadRequest)
        return
    }
    // Only allow redirects to same domain or trusted partners
    if u.Host != r.Host && !allowedRedirectHosts[u.Host] {
        http.Error(w, "Redirect not allowed", http.StatusForbidden)
        return
    }
    http.Redirect(w, r, target, http.StatusFound)
}

4. Enable DNS Caching Hardening
While not a Gorilla Mux fix, configure your DNS resolver (e.g., /etc/resolv.conf) to use DNSSEC and avoid recursive resolvers with known cache poisoning vulnerabilities. In Go, set net.ForceAttemptTCP2=true to fallback to TCP if DNS responses are truncated (a common poisoning technique).

import "net"

func init() {
    // Mitigate DNS amplification/truncation attacks
    net.ForceAttemptTCP2 = true
}

5. Use middleBrick for Continuous Validation
Integrate middleBrick into your CI/CD pipeline via the GitHub Action to automatically scan for DNS-related misconfigurations on every pull request. Configure the Pro plan to fail builds if a HIGH-severity DNS finding is detected.

Q: How does DNS cache poisoning differ from a typical SSRF vulnerability?
A: SSRF typically tricks an application into making requests to internal services. DNS cache poisoning targets the DNS resolution layer itself—even if your application uses a hardcoded hostname like metadata.google.internal, a poisoned DNS cache can redirect that lookup to an attacker's server, turning any hostname-based SSRF into a critical breach.

Q: Can middleBrick detect if my DNS resolver is already compromised?
A: middleBrick performs black-box testing from its own resolvers to detect how your API resolves external hostnames. It cannot audit your internal DNS infrastructure, but it will flag if your API makes requests to unexpected IPs when given specific hostname inputs—indicating that your application's DNS resolution (or upstream DNS) may be manipulated.