Analysis: possible security issue using PUBLICIP_FETCHERS and RESOLVER_ADDRESS

[adripo]

By using external DNS resolver option RESOLVER_ADDRESS combined with PUBLICIP_FETCHERS=dns could result in a possible security issue where a targeted attack can be performed, given the fact that DNS queries are not encrypted.
MITM and similar attacks can be performed in order to alter DNS queries and inject custom IP addressed to be updated for a specific domain.

Ref:
#389 (comment)

However, just for curiosity, wouldn't this be a security issue if used together with PUBLICIP_FETCHERS=dns? An attacker could change the answer for both public IP and DNS answer in a very specific and targeted attack in order to change the ip of my domain?

[qdm12]

Fixed in 320d91d

Now both Cloudflare and OpenDNS use DNS over TLS to communicate and echo the public ip address.
However, Google was removed since its public ip echo nameserver does not support DNS over TLS (wtf right?).
This is a bit of a breaking change, but it should be mitigated by:

• the announcement at the top of your logs mentioning it is now removed
• the warning logged if someone specifies google
• google gets auto-magically removed from the list of dns providers if found, so the program should not error and crash.