sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 16:26:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

check for domain ownership via subdomain rather than naked domain

Browse Source
This commit is contained in:
Alisdair MacLeod
2026-02-03 12:50:25 +00:00
parent 146774860b
commit 3af4543e80
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
management/internals/modules/reverseproxy/domain/validator.go
View File

@@ -25,8 +25,8 @@ func NewValidator(resolver resolver) *Validator {
} }
} }
// IsValid looks up the CNAME record for the passed domain and compares it // IsValid looks up the CNAME record for the passed domain with a prefix
// against the acceptable domains. // and compares it against the acceptable domains.
// If the returned CNAME matches any accepted domain, it will return true, // If the returned CNAME matches any accepted domain, it will return true,
// otherwise, including in the event of a DNS error, it will return false. // otherwise, including in the event of a DNS error, it will return false.
// The comparison is very simple, so wildcards will not match if included // The comparison is very simple, so wildcards will not match if included
@@ -36,7 +36,10 @@ func (v *Validator) IsValid(ctx context.Context, domain string, accept []string)
v.resolver = net.DefaultResolver v.resolver = net.DefaultResolver
} }
cname, err := v.resolver.LookupCNAME(ctx, domain) // Prepend subdomain for ownership validation because we want to check
// for the record being a wildcard ("*.example.com"), but you cannot
// look up a wildcard so we have to add a subdomain for the check.
cname, err := v.resolver.LookupCNAME(ctx, "validation."+domain)
if err != nil { if err != nil {
log.WithFields(log.Fields{ log.WithFields(log.Fields{
"domain": domain, "domain": domain,