Filter DNS Answer A records by owner name

Previously, ParseDNSResponse collected every A record in the
Answer section and associated them with the question name. An
attacker controlling an allowed zone could return additional A
records with different owner names — for internal IPs, cloud
metadata endpoints, or any IP — and those would be installed
into dynamic egress rules under the question's qname, silently
broadening the allowlist.

Collect only A records whose owner name is reachable from qname
via the response's own CNAME chain. A multi-pass walk bounded by
the Answer count handles legitimate CNAME chains while rejecting
injected out-of-bailiwick records and detecting CNAME loops
without infinite iteration.

Also normalize the returned qname (lower-cased, trailing-dot
stripped) via normalizeDNSName so downstream policy matching
sees a canonical form; the policy matcher was already normalizing
internally so behavior is preserved.

Tests cover: legitimate multi-A response, out-of-bailiwick A
record dropped, CNAME chain followed, and mixed response with
both valid CNAME-A and injected unrelated-A dropped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: JAORMX

net/egress/dns.go

@@ -63,13 +63,48 @@ func BuildNXDOMAIN(txnID uint16, qname string, qtype uint16) ([]byte, error) {
 
 // ParseDNSResponse extracts the question name, A-record IPs, and minimum
 // TTL from a DNS response payload.
+//
+// Only A records whose owner name is reachable from the question via the
+// response's own CNAME chain are returned. An answer with an unrelated
+// owner name — for example, an injected out-of-bailiwick record — is
+// discarded. Without this filter, a compromised allowed zone could
+// smuggle arbitrary IPs into dynamic egress rules by returning them in
+// the Answer section under any name.
+//
+// The returned qname is normalized (lower-cased, trailing dot stripped).
 func ParseDNSResponse(payload []byte) (qname string, ips []net.IP, ttl uint32, err error) {
 	var msg dns.Msg
 	if err := msg.Unpack(payload); err != nil {
 		return "", nil, 0, fmt.Errorf("unpack DNS response: %w", err)
 	}
 	if len(msg.Question) > 0 {
-		qname = msg.Question[0].Name
+		qname = normalizeDNSName(msg.Question[0].Name)
+	}
+
+	// Build the set of owner names reachable from qname via CNAMEs in this
+	// response. Multi-pass until no new names are added; bounded by the
+	// Answer count so CNAME loops cannot cause infinite iteration.
+	validNames := map[string]struct{}{qname: {}}
+	for i := 0; i < len(msg.Answer); i++ {
+		progress := false
+		for _, rr := range msg.Answer {
+			cn, ok := rr.(*dns.CNAME)
+			if !ok {
+				continue
+			}
+			owner := normalizeDNSName(cn.Hdr.Name)
+			if _, have := validNames[owner]; !have {
+				continue
+			}
+			target := normalizeDNSName(cn.Target)
+			if _, already := validNames[target]; !already {
+				validNames[target] = struct{}{}
+				progress = true
+			}
+		}
+		if !progress {
+			break
+		}
 	}
 
 	var minTTL uint32
@@ -79,6 +114,9 @@ func ParseDNSResponse(payload []byte) (qname string, ips []net.IP, ttl uint32, e
 		if !ok {
 			continue
 		}
+		if _, ok := validNames[normalizeDNSName(a.Hdr.Name)]; !ok {
+			continue
+		}
 		ips = append(ips, a.A)
 		if first || a.Hdr.Ttl < minTTL {
 			minTTL = a.Hdr.Ttl

net/egress/dns_test.go

@@ -146,13 +146,114 @@ func TestParseDNSResponse(t *testing.T) {
 
 	qname, ips, ttl, err := ParseDNSResponse(payload)
 	require.NoError(t, err)
-	assert.Equal(t, "example.com.", qname)
+	assert.Equal(t, "example.com", qname)
 	assert.Len(t, ips, 2)
 	assert.Equal(t, "93.184.216.34", ips[0].String())
 	assert.Equal(t, "93.184.216.35", ips[1].String())
 	assert.Equal(t, uint32(60), ttl) // minimum TTL
 }
 
+func TestParseDNSResponse_DropsOutOfBailiwickAnswers(t *testing.T) {
+	t.Parallel()
+
+	// Question for example.com; attacker-controlled response slips an A
+	// record with a different owner name (typical out-of-bailiwick injection
+	// attempt to smuggle an internal IP into dynamic rules).
+	msg := &dns.Msg{
+		MsgHdr: dns.MsgHdr{Id: 0x1234, Response: true},
+		Question: []dns.Question{
+			{Name: "example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+		},
+		Answer: []dns.RR{
+			&dns.A{
+				Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 300},
+				A:   net.ParseIP("93.184.216.34"),
+			},
+			&dns.A{
+				Hdr: dns.RR_Header{Name: "internal.local.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 300},
+				A:   net.ParseIP("169.254.169.254"),
+			},
+		},
+	}
+	payload, err := msg.Pack()
+	require.NoError(t, err)
+
+	qname, ips, _, err := ParseDNSResponse(payload)
+	require.NoError(t, err)
+	assert.Equal(t, "example.com", qname)
+	require.Len(t, ips, 1)
+	assert.Equal(t, "93.184.216.34", ips[0].String())
+}
+
+func TestParseDNSResponse_FollowsCNAMEChain(t *testing.T) {
+	t.Parallel()
+
+	// Legitimate CNAME chain: example.com -> cdn.example.net -> 1.2.3.4.
+	// The A record's owner matches the CNAME target, which is reachable
+	// from the question via the chain, so the IP is accepted.
+	msg := &dns.Msg{
+		MsgHdr: dns.MsgHdr{Id: 0x2345, Response: true},
+		Question: []dns.Question{
+			{Name: "example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+		},
+		Answer: []dns.RR{
+			&dns.CNAME{
+				Hdr:    dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeCNAME, Class: dns.ClassINET, Ttl: 300},
+				Target: "cdn.example.net.",
+			},
+			&dns.A{
+				Hdr: dns.RR_Header{Name: "cdn.example.net.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 300},
+				A:   net.ParseIP("1.2.3.4"),
+			},
+		},
+	}
+	payload, err := msg.Pack()
+	require.NoError(t, err)
+
+	qname, ips, _, err := ParseDNSResponse(payload)
+	require.NoError(t, err)
+	assert.Equal(t, "example.com", qname)
+	require.Len(t, ips, 1)
+	assert.Equal(t, "1.2.3.4", ips[0].String())
+}
+
+func TestParseDNSResponse_DropsUnreachableCNAMEA(t *testing.T) {
+	t.Parallel()
+
+	// An A record whose owner is NOT reachable via any CNAME chain from
+	// the question must be dropped even if another A record from the same
+	// name-chain is valid.
+	msg := &dns.Msg{
+		MsgHdr: dns.MsgHdr{Id: 0x3456, Response: true},
+		Question: []dns.Question{
+			{Name: "example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+		},
+		Answer: []dns.RR{
+			&dns.CNAME{
+				Hdr:    dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeCNAME, Class: dns.ClassINET, Ttl: 300},
+				Target: "cdn.example.net.",
+			},
+			// A record for an unrelated name slipped into the Answer section.
+			&dns.A{
+				Hdr: dns.RR_Header{Name: "attacker.example.net.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 300},
+				A:   net.ParseIP("10.0.0.1"),
+			},
+			// Legitimate A record at the CNAME target.
+			&dns.A{
+				Hdr: dns.RR_Header{Name: "cdn.example.net.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 300},
+				A:   net.ParseIP("1.2.3.4"),
+			},
+		},
+	}
+	payload, err := msg.Pack()
+	require.NoError(t, err)
+
+	_, ips, _, err := ParseDNSResponse(payload)
+	require.NoError(t, err)
+	require.Len(t, ips, 1)
+	assert.Equal(t, "1.2.3.4", ips[0].String())
+}
+
 func TestParseDNSResponse_NoARecords(t *testing.T) {
 	t.Parallel()