Currently, only the latest version of DNSPX is supported with security updates.
| Version | Supported |
|---|---|
| 0.9.x | ✅ |
| < 0.9 | ❌ |
Affected Component: Windows SSPI Authentication
Severity: Medium (CVSS 5.9)
CVE Reference: RUSTSEC-2023-0071
DNSPX's Windows SSPI authentication feature uses the rsa crate (v0.9.8) which is vulnerable to the Marvin Attack - a timing side-channel attack that could potentially allow key recovery.
- Affected Platforms: Windows only
- Prerequisites for Attack:
- Windows system using SSPI proxy authentication
- Local attacker with ability to measure precise timing
- Specific network conditions enabling timing analysis
- Risk Level: Low to Medium (requires sophisticated local attack setup)
- Disable SSPI Authentication: Use alternative proxy authentication methods (Basic Auth) when possible
- Network Isolation: Ensure DNSPX runs in isolated network environments
- Monitoring: Monitor for unusual network timing patterns
- Updates: Monitor for updates to the
sspicrate that address this issue
Dependency Path:
rsa v0.9.8
└── picky v7.0.0-rc.14
└── sspi v0.10.1 (Windows only)
└── dnspx v0.9.0
Note: This vulnerability only affects Windows builds when SSPI authentication is explicitly configured and used. Linux and macOS builds are not affected.
The following dependencies have maintenance warnings but pose minimal security risk:
- atty v0.2.14 - Used for terminal detection, low risk
- paste v1.0.15 - Macro helper for ratatui, minimal exposure
- Thoroughly test SSPI authentication in your specific environment
- Consider using Basic authentication instead of SSPI for production deployments
- Implement network monitoring for unusual patterns
- Keep systems updated and monitor for dependency updates
- AWS service discovery features should be thoroughly tested before production use
- Use least-privilege IAM roles for AWS integration
- Monitor AWS API usage patterns
- Validate discovered AWS resources before relying on them
- Run DNSPX with minimal required privileges
- Use network firewalls to restrict access to DNS port (53)
- Monitor DNS query patterns for anomalies
- Regularly update to latest versions
- Review configuration files for security best practices
If you discover a security vulnerability in DNSPX:
- Do not create a public GitHub issue
- Email the maintainer privately (if available) or
- Create a private security advisory on GitHub
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested mitigation (if any)
- Initial Response: Within 72 hours
- Vulnerability Assessment: Within 1 week
- Fix Timeline: Depends on severity and complexity
We follow responsible disclosure practices:
- Confirmed vulnerabilities will be patched before public disclosure
- Security advisories will be published after fixes are available
- Credit will be given to security researchers who report vulnerabilities responsibly
- Store configuration files with appropriate file permissions (600 or similar)
- Avoid storing sensitive credentials in configuration files
- Use environment variables or secure credential stores when possible
- Regularly review and audit configuration settings
- Bind to specific interfaces rather than 0.0.0.0 when possible
- Use firewall rules to restrict access to the DNS port
- Consider using encrypted DNS (DoH/DoT) for upstream resolvers
- Monitor network traffic patterns
- Run DNSPX with dedicated service accounts with minimal privileges
- Implement log monitoring and alerting
- Regular security reviews of deployment configuration
- Keep underlying system and dependencies updated
For questions about security practices or this policy, please reach out through the appropriate channels.