fix(DnsPinning): Ensure to always lookup based on FQDN

DerDreschner · DerDreschner · commit 5bc0ba6a515e · 2026-03-22T20:34:55.000+01:00
Signed-off-by: David Dreschner &lt;david.dreschner@nextcloud.com&gt;
diff --git a/lib/private/Http/Client/DnsPinMiddleware.php b/lib/private/Http/Client/DnsPinMiddleware.php
@@ -25,6 +25,17 @@ public function __construct(
 	) {
 	}
 
+	/**
+	 * DNS lookups must end with a dot to be marked as
+	 * FQDN. Otherwise, a record without answer may trigger
+	 * a lookup on the local domain name. See GitHub
+	 * issue #56489 for details.
+	 */
+	private function enforceFqdn(string $hostname): string {
+		$trimmedHostname = rtrim($hostname, '.');
+		return "$trimmedHostname.";
+	}
+
 	/**
 	 * Fetch soa record for a target
 	 */
@@ -35,7 +46,7 @@ private function soaRecord(string $target): ?array {
 		$second = array_pop($labels);
 
 		$hostname = $second . '.' . $top;
-		$responses = $this->dnsGetRecord($hostname, DNS_SOA);
+		$responses = $this->dnsGetRecord($this->enforceFqdn($hostname), DNS_SOA);
 
 		if ($responses === false || count($responses) === 0) {
 			return null;
@@ -68,7 +79,7 @@ private function dnsResolve(string $target, int $recursionCount) : array {
 				continue;
 			}
 
-			$dnsResponses = $this->dnsGetRecord($target, $dnsType);
+			$dnsResponses = $this->dnsGetRecord($this->enforceFqdn($target), $dnsType);
 			if ($dnsResponses !== false && count($dnsResponses) > 0) {
 				foreach ($dnsResponses as $dnsResponse) {
 					if (isset($dnsResponse['ip'])) {
diff --git a/tests/lib/Http/Client/DnsPinMiddlewareTest.php b/tests/lib/Http/Client/DnsPinMiddlewareTest.php
@@ -61,7 +61,7 @@ static function (RequestInterface $request, array $options) {
 			->method('dnsGetRecord')
 			->willReturnCallback(function (string $hostname, int $type) {
 				// example.com SOA
-				if ($hostname === 'example.com') {
+				if ($hostname === 'example.com.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -76,7 +76,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.com A, AAAA, CNAME
-				if ($hostname === 'www.example.com') {
+				if ($hostname === 'www.example.com.') {
 					return match ($type) {
 						DNS_A => [],
 						DNS_AAAA => [],
@@ -93,7 +93,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.net SOA
-				if ($hostname === 'example.net') {
+				if ($hostname === 'example.net.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -108,7 +108,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.net A, AAAA, CNAME
-				if ($hostname === 'www.example.net') {
+				if ($hostname === 'www.example.net.') {
 					return match ($type) {
 						DNS_A => [
 							[
@@ -154,7 +154,7 @@ static function (RequestInterface $request, array $options) {
 			->method('dnsGetRecord')
 			->willReturnCallback(function (string $hostname, int $type) {
 				// example.com SOA
-				if ($hostname === 'example.com') {
+				if ($hostname === 'example.com.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -169,7 +169,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.com A, AAAA, CNAME
-				if ($hostname === 'www.example.com') {
+				if ($hostname === 'www.example.com.') {
 					return match ($type) {
 						DNS_A => [],
 						DNS_AAAA => [],
@@ -186,7 +186,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.net SOA
-				if ($hostname === 'example.net') {
+				if ($hostname === 'example.net.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -201,7 +201,7 @@ static function (RequestInterface $request, array $options) {
 				}
 
 				// example.net A, AAAA, CNAME
-				if ($hostname === 'www.example.net') {
+				if ($hostname === 'www.example.net.') {
 					return match ($type) {
 						DNS_A => [
 							[
@@ -378,7 +378,7 @@ static function (RequestInterface $request, array $options): void {
 			->method('dnsGetRecord')
 			->willReturnCallback(function (string $hostname, int $type) {
 				// example.com SOA
-				if ($hostname === 'example.com') {
+				if ($hostname === 'example.com.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -393,7 +393,7 @@ static function (RequestInterface $request, array $options): void {
 				}
 
 				// example.com A, AAAA, CNAME
-				if ($hostname === 'www.example.com') {
+				if ($hostname === 'www.example.com.') {
 					return match ($type) {
 						DNS_A => [],
 						DNS_AAAA => [],
@@ -410,7 +410,7 @@ static function (RequestInterface $request, array $options): void {
 				}
 
 				// example.net SOA
-				if ($hostname === 'example.net') {
+				if ($hostname === 'example.net.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -425,7 +425,7 @@ static function (RequestInterface $request, array $options): void {
 				}
 
 				// example.net A, AAAA, CNAME
-				if ($hostname === 'www.example.net') {
+				if ($hostname === 'www.example.net.') {
 					return match ($type) {
 						DNS_A => [
 							[
@@ -496,7 +496,7 @@ static function (RequestInterface $request, array $options): void {
 				$dnsQueries[] = $hostname . $type;
 
 				// example.com SOA
-				if ($hostname === 'example.com') {
+				if ($hostname === 'example.com.') {
 					return match ($type) {
 						DNS_SOA => [
 							[
@@ -511,7 +511,7 @@ static function (RequestInterface $request, array $options): void {
 				}
 
 				// example.net A, AAAA, CNAME
-				if ($hostname === 'subsubdomain.subdomain.example.com') {
+				if ($hostname === 'subsubdomain.subdomain.example.com.') {
 					return match ($type) {
 						DNS_A => [
 							[
@@ -540,10 +540,10 @@ static function (RequestInterface $request, array $options): void {
 		);
 
 		$this->assertCount(3, $dnsQueries);
-		$this->assertContains('example.com' . DNS_SOA, $dnsQueries);
-		$this->assertContains('subsubdomain.subdomain.example.com' . DNS_A, $dnsQueries);
-		$this->assertContains('subsubdomain.subdomain.example.com' . DNS_AAAA, $dnsQueries);
+		$this->assertContains('example.com.' . DNS_SOA, $dnsQueries);
+		$this->assertContains('subsubdomain.subdomain.example.com.' . DNS_A, $dnsQueries);
+		$this->assertContains('subsubdomain.subdomain.example.com.' . DNS_AAAA, $dnsQueries);
 		// CNAME should not be queried if A or AAAA succeeded already
-		$this->assertNotContains('subsubdomain.subdomain.example.com' . DNS_CNAME, $dnsQueries);
+		$this->assertNotContains('subsubdomain.subdomain.example.com.' . DNS_CNAME, $dnsQueries);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ static function (RequestInterface $request, array $options) {`
`61`	`61`	`->method('dnsGetRecord')`
`62`	`62`	`->willReturnCallback(function (string $hostname, int $type) {`
`63`	`63`	`// example.com SOA`
`64`		`- if ($hostname === 'example.com') {`
	`64`	`+ if ($hostname === 'example.com.') {`
`65`	`65`	`return match ($type) {`
`66`	`66`	`DNS_SOA => [`
`67`	`67`	`[`
`@@ -76,7 +76,7 @@ static function (RequestInterface $request, array $options) {`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`// example.com A, AAAA, CNAME`
`79`		`- if ($hostname === 'www.example.com') {`
	`79`	`+ if ($hostname === 'www.example.com.') {`
`80`	`80`	`return match ($type) {`
`81`	`81`	`DNS_A => [],`
`82`	`82`	`DNS_AAAA => [],`
`@@ -93,7 +93,7 @@ static function (RequestInterface $request, array $options) {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`// example.net SOA`
`96`		`- if ($hostname === 'example.net') {`
	`96`	`+ if ($hostname === 'example.net.') {`
`97`	`97`	`return match ($type) {`
`98`	`98`	`DNS_SOA => [`
`99`	`99`	`[`
`@@ -108,7 +108,7 @@ static function (RequestInterface $request, array $options) {`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`// example.net A, AAAA, CNAME`
`111`		`- if ($hostname === 'www.example.net') {`
	`111`	`+ if ($hostname === 'www.example.net.') {`
`112`	`112`	`return match ($type) {`
`113`	`113`	`DNS_A => [`
`114`	`114`	`[`
`@@ -154,7 +154,7 @@ static function (RequestInterface $request, array $options) {`
`154`	`154`	`->method('dnsGetRecord')`
`155`	`155`	`->willReturnCallback(function (string $hostname, int $type) {`
`156`	`156`	`// example.com SOA`
`157`		`- if ($hostname === 'example.com') {`
	`157`	`+ if ($hostname === 'example.com.') {`
`158`	`158`	`return match ($type) {`
`159`	`159`	`DNS_SOA => [`
`160`	`160`	`[`
`@@ -169,7 +169,7 @@ static function (RequestInterface $request, array $options) {`
`169`	`169`	`}`
`170`	`170`
`171`	`171`	`// example.com A, AAAA, CNAME`
`172`		`- if ($hostname === 'www.example.com') {`
	`172`	`+ if ($hostname === 'www.example.com.') {`
`173`	`173`	`return match ($type) {`
`174`	`174`	`DNS_A => [],`
`175`	`175`	`DNS_AAAA => [],`
`@@ -186,7 +186,7 @@ static function (RequestInterface $request, array $options) {`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`// example.net SOA`
`189`		`- if ($hostname === 'example.net') {`
	`189`	`+ if ($hostname === 'example.net.') {`
`190`	`190`	`return match ($type) {`
`191`	`191`	`DNS_SOA => [`
`192`	`192`	`[`
`@@ -201,7 +201,7 @@ static function (RequestInterface $request, array $options) {`
`201`	`201`	`}`
`202`	`202`
`203`	`203`	`// example.net A, AAAA, CNAME`
`204`		`- if ($hostname === 'www.example.net') {`
	`204`	`+ if ($hostname === 'www.example.net.') {`
`205`	`205`	`return match ($type) {`
`206`	`206`	`DNS_A => [`
`207`	`207`	`[`
`@@ -378,7 +378,7 @@ static function (RequestInterface $request, array $options): void {`
`378`	`378`	`->method('dnsGetRecord')`
`379`	`379`	`->willReturnCallback(function (string $hostname, int $type) {`
`380`	`380`	`// example.com SOA`
`381`		`- if ($hostname === 'example.com') {`
	`381`	`+ if ($hostname === 'example.com.') {`
`382`	`382`	`return match ($type) {`
`383`	`383`	`DNS_SOA => [`
`384`	`384`	`[`
`@@ -393,7 +393,7 @@ static function (RequestInterface $request, array $options): void {`
`393`	`393`	`}`
`394`	`394`
`395`	`395`	`// example.com A, AAAA, CNAME`
`396`		`- if ($hostname === 'www.example.com') {`
	`396`	`+ if ($hostname === 'www.example.com.') {`
`397`	`397`	`return match ($type) {`
`398`	`398`	`DNS_A => [],`
`399`	`399`	`DNS_AAAA => [],`
`@@ -410,7 +410,7 @@ static function (RequestInterface $request, array $options): void {`
`410`	`410`	`}`
`411`	`411`
`412`	`412`	`// example.net SOA`
`413`		`- if ($hostname === 'example.net') {`
	`413`	`+ if ($hostname === 'example.net.') {`
`414`	`414`	`return match ($type) {`
`415`	`415`	`DNS_SOA => [`
`416`	`416`	`[`
`@@ -425,7 +425,7 @@ static function (RequestInterface $request, array $options): void {`
`425`	`425`	`}`
`426`	`426`
`427`	`427`	`// example.net A, AAAA, CNAME`
`428`		`- if ($hostname === 'www.example.net') {`
	`428`	`+ if ($hostname === 'www.example.net.') {`
`429`	`429`	`return match ($type) {`
`430`	`430`	`DNS_A => [`
`431`	`431`	`[`
`@@ -496,7 +496,7 @@ static function (RequestInterface $request, array $options): void {`
`496`	`496`	`$dnsQueries[] = $hostname . $type;`
`497`	`497`
`498`	`498`	`// example.com SOA`
`499`		`- if ($hostname === 'example.com') {`
	`499`	`+ if ($hostname === 'example.com.') {`
`500`	`500`	`return match ($type) {`
`501`	`501`	`DNS_SOA => [`
`502`	`502`	`[`
`@@ -511,7 +511,7 @@ static function (RequestInterface $request, array $options): void {`
`511`	`511`	`}`
`512`	`512`
`513`	`513`	`// example.net A, AAAA, CNAME`
`514`		`- if ($hostname === 'subsubdomain.subdomain.example.com') {`
	`514`	`+ if ($hostname === 'subsubdomain.subdomain.example.com.') {`
`515`	`515`	`return match ($type) {`
`516`	`516`	`DNS_A => [`
`517`	`517`	`[`
`@@ -540,10 +540,10 @@ static function (RequestInterface $request, array $options): void {`
`540`	`540`	`);`
`541`	`541`
`542`	`542`	`$this->assertCount(3, $dnsQueries);`
`543`		`- $this->assertContains('example.com' . DNS_SOA, $dnsQueries);`
`544`		`- $this->assertContains('subsubdomain.subdomain.example.com' . DNS_A, $dnsQueries);`
`545`		`- $this->assertContains('subsubdomain.subdomain.example.com' . DNS_AAAA, $dnsQueries);`
	`543`	`+ $this->assertContains('example.com.' . DNS_SOA, $dnsQueries);`
	`544`	`+ $this->assertContains('subsubdomain.subdomain.example.com.' . DNS_A, $dnsQueries);`
	`545`	`+ $this->assertContains('subsubdomain.subdomain.example.com.' . DNS_AAAA, $dnsQueries);`
`546`	`546`	`// CNAME should not be queried if A or AAAA succeeded already`
`547`		`- $this->assertNotContains('subsubdomain.subdomain.example.com' . DNS_CNAME, $dnsQueries);`
	`547`	`+ $this->assertNotContains('subsubdomain.subdomain.example.com.' . DNS_CNAME, $dnsQueries);`
`548`	`548`	`}`
`549`	`549`	`}`