[DRIVERS-2171] Document or prohibit unix domain sockets in srv records Created: 05/Jul/19  Updated: 19/Sep/23

Status: Backlog
Project: Drivers
Component/s: Connection String
Fix Version/s: None

Type: Spec Change Priority: Minor - P4
Reporter: Oleg Pudeyev (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
Driver Changes: Needed

 Description   

https://github.com/mongodb/specifications/blob/master/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.rst#specification says:

>  The format [of the connection string] is:
 
mongodb+srv://{hostname}.{domainname}/{options}

This is however misleading, because in addition to DNS hostnames the drivers also accept unix domain socket paths. Coupled with DNS seed list discovery, this permits an attacker able to forge DNS responses to force a driver to establish local unix socket connections. I think this behavior will come as a surprise to system administrators tasked with security policy compliance.

I think DNS seed list discovery spec should either be amended to explicitly acknowledge that DNS records can resolve to local socket connections, or prohibit the driver from accepting unix socket paths from DNS records.


Generated at Thu Feb 08 08:24:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.