Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use dns.lookup over dns.resolve4 in IPTools.dnsblQuery
This helps prevent DNS poisoning attacks if the platform supports DNSSEC since dns.resolve4 uses c-ares, which doesn't support DNSSEC.
- Loading branch information
d4c4796
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: this enables an event-loop starvation attack vector prior to Node 10.12.0 nodejs/node#8436
d4c4796
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we update our supported version in the README to 10.12.0 then?
d4c4796
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably.
I am expecting this change to decrease the throughput of this module, though, to a degree which might or might not warrant a reversion, since security of this component is not critical imo.