Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!DIKU.DK!thorinn From: thorinn@DIKU.DK (Lars Henrik Mathiesen) Newsgroups: comp.protocols.tcp-ip.domains Subject: PTR records of gateways on the Internet Message-ID: <9101131924.AA24193@rimfaxe.diku.dk> Date: 13 Jan 91 19:24:17 GMT References: <1991Jan13.054040.21009@riacs.edu> Sender: daemon@ucbvax.BERKELEY.EDU Distribution: inet Organization: The Internet Lines: 87 From: medin@nsipo.arc.nasa.gov (Milo S. Medin) rickert@mp.cs.niu.edu (Neil Rickert) writes: > Just because Sun's 'gethostbyaddr()' is broken, there is no reason to >complain about the way domains are set up. > > The public BSD sources do not have this defect. This is not broken, nor is it a defect, and nor is it limited to SUN's. We at Ames came up with this mod to the resolver code after having been burned by internet DNS spoofing. If your resolver doesn't have this capability, your site is open to a lot of security problems. Any system with the original BSD resolver library has this capability: Follow the gethostbyaddr with a gethostbyname and check if the original address appears in the address list. Sun and Ames evidently didn't want to spend the time needed to change the programs needing this (very weak) authentication, and implemented it in gethostbyaddr instead. Berkeley implemented it in the network daemons with the tahoe release (at least Mt. Xinu did in their version; it's 26 lines of boilerplate code in each program). Now Ames are free to decide if they want to live with the consequences of making gethostbyaddr ``safe'', but for Sun it is a clear case of lessened utility: There is now no library routine that will give the name of a host regardless of A records. Since there are programs that make good use of precisely such a routine, users of such programs are entitled to complain about Sun's move. I'm not saying that Sun shouldn't have put in the check, but that it was a bad place to put it. By the way, I think the article that Milo came down so hard on said much the same. -- Lars Mathiesen, DIKU, U of Copenhagen, Denmark [uunet!]mcsun!diku!thorinn Institute of Datalogy -- we're scientists, not engineers. thorinn@diku.dk We turned this bug into Sun, and posted it on comp.bugs.4bsd. Many sites use this since they consider security marginally important. If you don't, that's fine, and more power to you, but don't berate the efforts of a vendor who is concerned with improving the state of security. If you don't like it, then rebuild the resolver library from BSD source (available from a number of places), and install a new shared library. You can convienently rewrite some of the other troublesome features (like wasting time doing a gethostbyaddr on inbound login connections, maybe get rid of all utmp host information) at the same time! How about just having gethostbyname return a hardwired answer like not-me.yourdomain.edu. ? This way you wouldn't have to wait for that pesky DNS to figure out where you are logging in from to timeout when you botch the DNS configuration! What a plus! After all, not all sites require knowing where people log in from. Why should everyone have to put up with these silly delays because a few paranoids out there worry all the time! >extra checking you describe in Sun gethostbyname() is an attempt to use >it as an authentication service. This is WRONG behavior for >gethostbyaddr(). It may make sense to add this type of authentication >to some specific uses (say in rlogind, when checking hosts.equiv). But >it does not make sense in general. > Bull. The DNS system is a distributed database. Are you saying that you don't care how valid the information is as long as it tells you something?? If you can tell someone has misconfigured things or is trying to spoof your system, that's pretty useful info for me. As for using it in only things that require .rhosts type of files, well, I'm sure you'd be rather annoyed when someone breaks into your machine from the Internet and spoofs the PTR information so that when you try and contact the system admin. of the host that connected to you, you get nowhere. Ah, but then you don't care about security! I'm sorry I forgot... If the info is wrong, it shouldn't be shoved into utmp. I can't believe all this garbage blaming the resolver code!!! If you have a problem with the NSS's not doing this, call MERIT and complain. I notice most other people seem to get this right. Don't blame the resolver for doing the right thing. If this REALLY annoys you, why not just relink traceroute with the straight BSD resolver? Sigh... Thanks, Milo PS Usual disclaimers apply...