[GH-ISSUE #2909] DNS lookup occurs before blacklist regex check #10222

Closed
opened 2026-04-20 13:37:45 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @viglianesed on GitHub (Nov 10, 2022).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2909

Originally assigned to: @BlackDex on GitHub.

Subject of the issue

Vaultwarden server does a DNS lookup before checking the icon blacklist regex. https://github.com/dani-garcia/vaultwarden/blob/main/src/api/icons.rs#L264

This could cause deanonymization of the server owner/users.

Deployment environment

  • vaultwarden version: 1.26.0
  • Install method: Docker

  • Clients used: n/a

  • Reverse proxy and version: n/a

  • MySQL/MariaDB or PostgreSQL version: n/a

  • Other relevant details: n/a

Steps to reproduce

A network DNS filtering solution like Pi-hole is recomended or any solution that logs DNS traffic.

  1. Configure config.json with "icon_blacklist_regex": "'^(.*\\.onion/.*)$'", or in the admin page, set Icon blacklist Regex to '^(.*\.onion/.*)$'
  2. Create a new password with some .onion url like -> http://1234567890.testing.dns.blacklist.onion/

Expected behaviour

For privacy reasons, the lookup_host((domain, 0)).await should happen after the regex check.

Actual behaviour

The regex part works and it doesn't contact the actual server:

[2022-11-10 21:26:19.449][vaultwarden::api::icons][WARN] Unable to download icon: Domain is blacklisted. 1234567890.testing.dns.blacklist.onion

The issue is that some user's may not filter .onion DNS requests, so the DNS requests will be sent to the upstream DNS server where they will be most likely logged and identify the user as a Tor user.

Troubleshooting data

Screenshot of a blocked DNS query:
2022-11-10_22h39_10

Screenshot of the DNS regex blacklist rule:
2022-11-10_22h35_13

Originally created by @viglianesed on GitHub (Nov 10, 2022). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2909 Originally assigned to: @BlackDex on GitHub. <!-- # ### NOTE: Please update to the latest version of vaultwarden before reporting an issue! This saves you and us a lot of time and troubleshooting. See: * https://github.com/dani-garcia/vaultwarden/issues/1180 * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image # ### --> <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. Remember to hide/redact personal or confidential information, such as passwords, IP addresses, and DNS names as appropriate. --> ### Subject of the issue <!-- Describe your issue here. --> Vaultwarden server does a DNS lookup before checking the icon blacklist regex. https://github.com/dani-garcia/vaultwarden/blob/main/src/api/icons.rs#L264 This could cause deanonymization of the server owner/users. ### Deployment environment <!-- ========================================================================================= Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. That will auto-generate most of the info requested in this section. ========================================================================================= --> <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> <!-- Remember to check if your issue exists on the latest version first! --> * vaultwarden version: 1.26.0 <!-- How the server was installed: Docker image, OS package, built from source, etc. --> * Install method: Docker * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> n/a * Reverse proxy and version: <!-- if applicable --> n/a * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> n/a * Other relevant details: n/a ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start vaultwarden? --> A network DNS filtering solution like Pi-hole is recomended or any solution that logs DNS traffic. 1. Configure config.json with `"icon_blacklist_regex": "'^(.*\\.onion/.*)$'",` or in the admin page, set `Icon blacklist Regex` to `'^(.*\.onion/.*)$'` 2. Create a new password with some `.onion` url like -> `http://1234567890.testing.dns.blacklist.onion/` ### Expected behaviour <!-- Tell us what you expected to happen --> For privacy reasons, the `lookup_host((domain, 0)).await` should happen after the regex check. ### Actual behaviour <!-- Tell us what actually happened --> The regex part works and it doesn't contact the actual server: ``` [2022-11-10 21:26:19.449][vaultwarden::api::icons][WARN] Unable to download icon: Domain is blacklisted. 1234567890.testing.dns.blacklist.onion ``` The issue is that some user's may not filter `.onion` DNS requests, so the DNS requests will be sent to the upstream DNS server where they will be most likely logged and identify the user as a Tor user. ### Troubleshooting data <!-- Share any log files, screenshots, or other relevant troubleshooting data --> Screenshot of a blocked DNS query: ![2022-11-10_22h39_10](https://user-images.githubusercontent.com/62939309/201221085-6c1cdd53-f6a0-412c-8aca-ec79a3a5b233.png) Screenshot of the DNS regex blacklist rule: ![2022-11-10_22h35_13](https://user-images.githubusercontent.com/62939309/201220477-ba80f5f0-f28a-4975-a9a9-7683b96c7f01.png)
GiteaMirror added the enhancement label 2026-04-20 13:37:45 -05:00
Author
Owner

@BlackDex commented on GitHub (Nov 10, 2022):

Thanks for your report.
I understand the issue, and i also think it is easy to resolve.

<!-- gh-comment-id:1310997699 --> @BlackDex commented on GitHub (Nov 10, 2022): Thanks for your report. I understand the issue, and i also think it is easy to resolve.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#10222