Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 8 May 2019 11:57:33 -0400
From: Luke Shumaker <lukeshu@...awire.io>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: Malformed DNS requests for single-label hostnames with
 `search .`

Rich Felker wrote:
> On Tue, May 07, 2019 at 12:29:43PM -0400, Luke Shumaker wrote:
> > In some scenarios, musl libc generates invalid DNS queries that are
> > discarded by the DNS server.  Particularly when `resolv.conf` says
> > `search .` and we attempt to resolv a single-label hostname.
> >
> >     / # cat /etc/resolv.conf
> >     search .
> >     nameserver 1.1.1.1
>
> Note that this is not a good idea, even if it weren't buggy, as it
> will just perform all your queries twice. If you don't want to search,
> omit the search option or leave it blank.

Use-case 1: On macOS, disabling `search`/`domain`-from-DHCP results in
`search .`.  musl isn't really used on macOS, but it _is_ used in
Alpine-on-Docker-on-macOS (by default, Docker just copies the
resolv.conf from the host).

Use-case 2: Since `search` defaults to `domain`, setting `domain .`
will also trigger the bug.  Setting `domain .` is a thing that is
explicitly mentioned as valid in the Linux man-pages project
<https://www.kernel.org/doc/man-pages/> page for resolv.conf.

Use-case 3: Some users wish for to use a search suffix, but to try the
name-as-requested first, then falling back to the suffix; they can do
this by explicitly mentioning `.` before the suffix, setting

    search . whatever.com

> > But if I allow it to use the `search`-path, the query is invalid:
> >
> >     / # time strace -f -e trace=sendto,sendmsg,sendmmsg getent hosts label
> >     sendto(3, "\16s\1\0\0\1\0\0\0\0\0\0\5label.\0\34\0\1\0", 24, ...
> >     sendto(3, "\16s\1\0\0\1\0\0\0\0\0\0\5label.\0\34\0\1\0", 24, ...
> >     sendto(3, "\363\365\1\0\0\1\0\0\0\0\0\0\5label.\0\1\0\1\0", 24, ...
> >     sendto(3, "\363\365\1\0\0\1\0\0\0\0\0\0\5label.\0\1\0\1\0", 24, ...
> >     +++ exited with 2 +++
> >     Command exited with non-zero status 2
> >     real    0m 10.01s
> >     user    0m 0.00s
> >     sys     0m 0.00s
> ...
> > So there are 2 pieces of corruption going on here:
> >
> >  1. Instead of getting the \0 terminator indicating that there are no
> >     more lables in the QNAME, it gets an ASCII '.', indicating another
> >     label of length 46.
> >  2. An extra byte is allocated, which appears at the end of the
> >     message.

Oh, I forgot to mention a 3rd piece of corruption: It submits the same
request (with the same ID!) twice.

> Yes, this is probably a bug, if search is expected to accept trailing
> dots, which seems like reasonable-ish functionality. Around line 203
> of lookup_name.c, we'd need to detect this case and replace the search
> component with a zero-length one. I don't recall right off if we'd
> also need to strip the . separating the query from the search
> component; that depends on whether name_from_dns accepts a trailing
> dot, which I think it does, so such stripping probably isn't needed.

Thanks for the pointers!

> Again, I think it's a really bad idea to configure your resolv.conf
> like this. As you've done, it will repeat the same query twice in the
> case of NxDomain, for no benefit. This will only happen for queries
> with fewer than ndots dots in them, which, unless you've increaded
> ndots (which has a lot of other problems), will always be NxDomain.
> And in the case where you have other nontrivial search components
> *after* ".", it will produce a situation where appearance of new
> domains in the global namespace will mask local names you might be
> using.
>
> I wonder if it would make more sense to just skip/ignore "." in the
> search path...

It looks like what GNU libc does is keep track of whether "." appeared
in `search`, and skip the no-suffix lookup if it reaches the end of
the list (tracking `root_on_list` in `res_query.c`).  On the other
hand, bind-tools will perform the lookup twice, as you described.

-- 
Happy hacking,
~ Luke Shumaker

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.