Implement DNS record verification

Checks to make sure DNS indicates an A/AAAA record matching the public IP address of the server before allowing the domain name to be added. Uses a random host to verify wildcard domains. Might be more robust to actually communicate with the authoritative servers, or check from multiple geo locations, but this is probably fine for now and maybe forever.
2025-02-25 18:55:29 -06:00 · 2022-03-07 13:10:11 -07:00
parent 9c6ee1134c
commit f39d9be54f
1 changed files with 30 additions and 1 deletions
--- a/api.go
+++ b/api.go
@@ -6,9 +6,11 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 )

 type Api struct {
@@ -610,7 +612,34 @@ func (a *Api) SetDomain(tokenData TokenData, params url.Values, domain, ownerId
 		}
 	}

-	err := a.db.AddDomain(domain, ownerId)
+	checkDomain := domain
+	if strings.HasPrefix(domain, "*.") {
+		checkDomain = domain[2:]
+	}
+
+	randomHost, err := genRandomCode(32)
+	if err != nil {
+		return err
+	}
+
+	ips, err := net.LookupIP(fmt.Sprintf("%s.%s", randomHost, checkDomain))
+	if err != nil {
+		return err
+	}
+
+	found := false
+	for _, ip := range ips {
+		if ip.String() == a.config.PublicIp {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		return errors.New(fmt.Sprintf("The requested domain does not appear to have an A/AAAA record pointed at the public IP address of the server (%s). This may be because the record is not properly set, or because the DNS is still propagating (can take up to 48 hours).", a.config.PublicIp))
+	}
+
+	err = a.db.AddDomain(domain, ownerId)
 	if err != nil {
 		return err
 	}