I released v1.20210812.0 of dnstt. This is a security release that fixes an injection vulnerability in the dnstt-server log file.

• https://www.bamsoftware.com/software/dnstt/#download
• dnstt-20210812.zip (sig, key)
• https://repo.or.cz/dnstt.git/shortlog/refs/tags/v1.20210812.0
• CHANGELOG

The dnstt-server log message NXDOMAIN: not authoritative for %s contains a potentially attacker-controlled name. Because DNS labels may contain any byte value, the log message allowed an attacker to write arbitrary bytes to the dnstt-server log, with a variety of possible effects:

• A label containing a newline character (\x0a) could break the format of the log, or inject false log lines.
• Log output to a terminal could contain terminal escape sequences which could, for example, change the color of text, or have even worse effects with older terminal emulators.
• DNS names with a label that contained the dot character (\x2e) would be logged in an ambiguous way, with the intra-label dot appearing as a label separator.

DNS names are now logged using backslash hex escapes for unusual bytes. This vulnerability was called to mind by the USENIX Security 2021 research paper “Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS” by Jeitner and Shulman.