Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 8 May 2019 11:57:33 -0400
From: Luke Shumaker <lukeshu@...awire.io>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: Malformed DNS requests for single-label hostnames with
 `search .`

Rich Felker wrote:
> On Tue, May 07, 2019 at 12:29:43PM -0400, Luke Shumaker wrote:
> > In some scenarios, musl libc generates invalid DNS queries that are
> > discarded by the DNS server.  Particularly when `resolv.conf` says
> > `search .` and we attempt to resolv a single-label hostname.
> >
> >     / # cat /etc/resolv.conf
> >     search .
> >     nameserver 1.1.1.1
>
> Note that this is not a good idea, even if it weren't buggy, as it
> will just perform all your queries twice. If you don't want to search,
> omit the search option or leave it blank.

Use-case 1: On macOS, disabling `search`/`domain`-from-DHCP results in
`search .`.  musl isn't really used on macOS, but it _is_ used in
Alpine-on-Docker-on-macOS (by default, Docker just copies the
resolv.conf from the host).

Use-case 2: Since `search` defaults to `domain`, setting `domain .`
will also trigger the bug.  Setting `domain .` is a thing that is
explicitly mentioned as valid in the Linux man-pages project
<https://www.kernel.org/doc/man-pages/> page for resolv.conf.

Use-case 3: Some users wish for to use a search suffix, but to try the
name-as-requested first, then falling back to the suffix; they can do
this by explicitly mentioning `.` before the suffix, setting

    search . whatever.com

> > But if I allow it to use the `search`-path, the query is invalid:
> >
> >     / # time strace -f -e trace=sendto,sendmsg,sendmmsg getent hosts label
> >     sendto(3, "\16s\1\0\0\1\0\0\0\0\0\0\5label.\0\34\0\1\0", 24, ...
> >     sendto(3, "\16s\1\0\0\1\0\0\0\0\0\0\5label.\0\34\0\1\0", 24, ...
> >     sendto(3, "\363\365\1\0\0\1\0\0\0\0\0\0\5label.\0\1\0\1\0", 24, ...
> >     sendto(3, "\363\365\1\0\0\1\0\0\0\0\0\0\5label.\0\1\0\1\0", 24, ...
> >     +++ exited with 2 +++
> >     Command exited with non-zero status 2
> >     real    0m 10.01s
> >     user    0m 0.00s
> >     sys     0m 0.00s
> ...
> > So there are 2 pieces of corruption going on here:
> >
> >  1. Instead of getting the \0 terminator indicating that there are no
> >     more lables in the QNAME, it gets an ASCII '.', indicating another
> >     label of length 46.
> >  2. An extra byte is allocated, which appears at the end of the
> >     message.

Oh, I forgot to mention a 3rd piece of corruption: It submits the same
request (with the same ID!) twice.

> Yes, this is probably a bug, if search is expected to accept trailing
> dots, which seems like reasonable-ish functionality. Around line 203
> of lookup_name.c, we'd need to detect this case and replace the search
> component with a zero-length one. I don't recall right off if we'd
> also need to strip the . separating the query from the search
> component; that depends on whether name_from_dns accepts a trailing
> dot, which I think it does, so such stripping probably isn't needed.

Thanks for the pointers!

> Again, I think it's a really bad idea to configure your resolv.conf
> like this. As you've done, it will repeat the same query twice in the
> case of NxDomain, for no benefit. This will only happen for queries
> with fewer than ndots dots in them, which, unless you've increaded
> ndots (which has a lot of other problems), will always be NxDomain.
> And in the case where you have other nontrivial search components
> *after* ".", it will produce a situation where appearance of new
> domains in the global namespace will mask local names you might be
> using.
>
> I wonder if it would make more sense to just skip/ignore "." in the
> search path...

It looks like what GNU libc does is keep track of whether "." appeared
in `search`, and skip the no-suffix lookup if it reaches the end of
the list (tracking `root_on_list` in `res_query.c`).  On the other
hand, bind-tools will perform the lookup twice, as you described.

-- 
Happy hacking,
~ Luke Shumaker

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.