Comment by strenholme
12 hours ago
I should explain how MaraDNS uses Lua 5.1 (actually, Lunacy, my own fork with security bugs fixed as well as security hardening—including, yes, a patch against CVE-2014-5461), so you can get an idea of its attack surface.
MaraDNS has three components:
• MaraDNS, the authoritative server, which goes back all the way to 2001
• Deadwood, the recursive server, which was started back in 2007
• coLunacyDNS, which allows a DNS server to use Lua scripting; this didn’t exist until the COVID pandemic
Neither MaraDNS nor Deadwood use Lunacy (except as a scripting engine for converting documents); only coLunacyDNS uses Lunacy. coLunacyDNS uses a sandboxed and security hardened version of Lunacy (and, yes, I would accept bugs where someone could escape that sandbox), and the Lua scripts which coLunacyDNS uses can only be controlled by a local user and there is no capability to run Lua scripts remotely.
> coLunacyDNS, which allows a DNS server to use Lua scripting; this didn’t exist until the COVID pandemic
Why would a DNS server use Lua scripting? Is this for dynamically responding to requests rather than doing a pure lookup?
It’s useful for things like 10.1.2.3.ip4.internal style queries, or having a DNS server that always returns a given IP for any query given to it.
More discussion is on the coLunacyDNS overview page:
https://samboy.github.io/MaraDNS/coLunacyDNS/