GHSA-84G5-X8J3-7235: DNS Filter Bypass via Off-by-one Error in Netfoil Suffix Trie

Netfoil acts as a DNS proxy with built-in filtering capabilities. It relies on a custom suffix trie data structure to manage allowed and denied domains. The vulnerability resides in this custom implementation, specifically within the insertion and exact match logic responsible for enforcing security policies.

The flaw is classified as an off-by-one error (CWE-193), which directly leads to improper authorization (CWE-285). Because the proxy relies entirely on this suffix trie to enforce access policies, a flaw in the matching logic invalidates the primary security boundary of the application.

Any attacker capable of routing DNS requests through the vulnerable Netfoil instance can exploit this flaw. By manipulating the requested domain string, the attacker forces the proxy to process unauthorized domains as if they were present on the configured allowlist.

The root cause is a loop termination condition error within the suffixtrie/suffixtrie.go module. The application implements its own suffix trie to handle domain lookups. To process strings from right to left (TLD to subdomain), the functions Insert and MatchExact iterate backward over the byte slice of the provided domain string.

The for loop governing this backward traversal uses the condition i > 0. Because Go employs zero-based indexing, this condition dictates that the loop terminates immediately after processing the character at index 1. Consequently, the character at index 0—the first character of the string—is consistently omitted from both the insertion and matching operations.

When the system administrator adds example.com to the allowlist, the Insert function only records xample.com within the trie nodes. Subsequently, when the MatchExact function processes an incoming request for fxample.com, it also drops the leading character and evaluates xample.com. The resulting match allows the unauthorized domain to bypass the filter.

A secondary logic error existed in the MatchSuffix function. This function returned true when evaluated against an empty byte slice. Depending on prior input sanitization stages, this flaw facilitates further filter bypasses by exploiting null or empty domain queries.

The underlying flaw is evident when examining the pre-patch state of the suffixtrie.go source file. The backward iteration logic failed to account for the zeroth index.

// VULNERABLE CODE: suffixtrie.go
func (t *Trie) Insert(word []byte) {
    // ...
    for i := len(word) - 1; i > 0; i-- { // Flaw: i > 0 ignores index 0
        c := word[i]
        // node traversal logic
    }
}

The fix applied in commit 0ca054acf97b011e4fdd40392475c7786b975ec3 corrects the loop boundaries. The condition is updated to i >= 0, ensuring the complete byte slice is processed.

// PATCHED CODE: suffixtrie.go
func (t *Trie) Insert(word []byte) {
    // ...
    for i := len(word) - 1; i >= 0; i-- { // Fix: includes index 0
        c := word[i]
        // node traversal logic
    }
}

The patch also hardens the MatchSuffix method. A guard clause is introduced to explicitly return false if the length of the input word is zero, neutralizing the secondary bypass vector.

// PATCHED CODE: suffixtrie.go (MatchSuffix)
func (t *Trie) MatchSuffix(word []byte) bool {
    if len(word) == 0 { // Fix: empty slice check
        return false
    }
    // ...
}

Exploitation requires network access to route DNS queries through the Netfoil proxy. The attacker must possess prior knowledge of at least one domain explicitly configured on the target's allowlist to construct a valid payload.

The attack payload consists of a standard DNS query modified to prepend a single, arbitrary character to the known allowed domain. If the policy permits google.com, the attacker issues a DNS A or AAAA record query for xgoogle.com or 1google.com.

The Netfoil proxy receives the query and processes it through the vulnerable MatchExact function. The function truncates the leading x or 1, successfully matching the truncated string google.com against the similarly truncated entry in the trie. The proxy then resolves and forwards the traffic for the unapproved domain.

The vulnerability results in a total failure of the primary authorization control mechanism within the Netfoil proxy. The integrity of the DNS filtering policy is compromised, allowing arbitrary egress traffic that the administrator intended to block.

In environments where Netfoil serves as a critical defense-in-depth layer—such as preventing malware command-and-control (C2) communication or enforcing corporate acceptable use policies—this bypass neutralizes those protections. Attackers route malicious traffic disguised as legitimate, authorized flows.

The impact is limited to the proxy's routing decisions. The flaw does not grant memory corruption capabilities, nor does it allow for direct remote code execution on the Netfoil host itself. The system's confidentiality and availability remain intact, while the integrity of the filtering rules is completely broken.

The primary remediation is to deploy Netfoil version v0.2.1. This release contains the corrected loop boundaries and the empty slice validation logic necessary to secure the domain matching processes.

System administrators must audit historical DNS logs to detect potential exploitation prior to patching. The detection signature involves identifying requests for domains that exactly match allowed domains but possess one additional prefix character. These requests frequently result in NXDOMAIN responses from upstream resolvers if the attacker-specified domain is not actually registered.

As a defense-in-depth measure, administrators must implement egress network filtering independently of DNS controls. A firewall rule restricting outbound traffic to approved IP ranges provides a secondary enforcement layer that mitigates the impact of DNS-level bypasses.