Fixed DNS 0x20 encoding bug in worker threads and removed automatic lowercasing in DNS buffer parsing to preserve case from authoritative sources. Implemented case-insensitive lookups for cache and blockchain while ensuring restoration of the original client query case in all response paths instead of returning randomized DNS 0x20 case from upstream servers.
Significantly improve DNS client security against cache poisoning attacks through multiple defense layers:
Security Improvements:
- Bind UDP sockets to OS-assigned ephemeral ports (0.0.0.0:0) instead of predictable random ports, eliminating port-based attack vectors
- Implement DNS 0x20 encoding with strict case validation, adding 10-15 bits of entropy per query by randomizing domain name case
- Randomize transaction ID starting point using AtomicU16 for better entropy distribution
Attack difficulty increased from ~16 bits (65K attempts) to ~42-47 bits
(4.4-140 trillion attempts), making spoofing 1,000x to 32,000x harder.
Configuration:
- Add 'enable_0x20' option to DNS settings (default: true)
- Users can disable for compatibility with legacy resolvers if needed
- Feature is configurable via alfis.toml
Revertron