c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyNetwork Working Group E. Gavron
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRequest for Comments: 1535 ACES Research Inc.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyCategory: Informational October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley A Security Problem and Proposed Correction
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley With Widely Deployed DNS Software
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyStatus of this Memo
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This memo provides information for the Internet community. It does
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not specify an Internet standard. Distribution of this memo is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This document discusses a flaw in some of the currently distributed
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley name resolver clients. The flaw exposes a security weakness related
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to the search heuristic invoked by these same resolvers when users
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley provide a partial domain name, and which is easy to exploit (although
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley not by the masses). This document points out the flaw, a case in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley point, and a solution.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Current Domain Name Server clients are designed to ease the burden of
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley remembering IP dotted quad addresses. As such they translate human-
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley readable names into addresses and other resource records. Part of
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the translation process includes understanding and dealing with
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley hostnames that are not fully qualified domain names (FQDNs).
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley An absolute "rooted" FQDN is of the format {name}{.} A non "rooted"
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley domain name is of the format {name}
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley A domain name may have many parts and typically these include the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley host, domain, and type. Example: foobar.company.com or
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The problem with most widely distributed resolvers based on the BSD
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley BIND resolver is that they attempt to resolve a partial name by
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley processing a search list of partial domains to be added to portions
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of the specified host name until a DNS record is found. This
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "feature" is disabled by default in the official BIND 4.9.2 release.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Example: A TELNET attempt by User@Machine.Tech.ACES.COM
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGavron [Page 1]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1535 DNS Software Enhancements October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The resolver client will realize that since "UnivHost.University.EDU"
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley does not end with a ".", it is not an absolute "rooted" FQDN. It
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley will then try the following combinations until a resource record is
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleySecurity Issue
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley After registering the EDU.COM domain, it was discovered that an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley unliberal application of one wildcard CNAME record would cause *all*
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley connects from any .COM site to any .EDU site to terminate at one
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley target machine in the private edu.com sub-domain.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Further, discussion reveals that specific hostnames registered in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley this private subdomain, or any similarly named subdomain may be used
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to spoof a host.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Example: harvard.edu.com. CNAME targethost
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Thus all connects to Harvard.edu from all .com sites would end up at
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley targthost, a machine which could provide a Harvard.edu login banner.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This is clearly unacceptable. Further, it could only be made worse
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley with domains like COM.EDU, MIL.GOV, GOV.COM, etc.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyPublic vs. Local Name Space Administration
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The specification of the Domain Name System and the software that
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley implements it provides an undifferentiated hierarchy which permits
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley delegation of administration for subordinate portions of the name
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley space. Actual administration of the name space is divided between
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "public" and "local" portions. Public administration pertains to all
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley top-level domains, such as .COM and .EDU. For some domains, it also
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley pertains to some number of sub-domain levels. The multi-level nature
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of the public administration is most evident for top-level domains
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for countries. For example in the Fully Qualified Domain Name,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley dbc.mtview.ca.us., the portion "mtview.ca.us" represents three levels
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of public administration. Only the left-most portion is subject to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley local administration.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGavron [Page 2]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1535 DNS Software Enhancements October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The danger of the heuristic search common in current practise is that
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley it it is possible to "intercept" the search by matching against an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley unintended value while walking up the search list. While this is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley potentially dangerous at any level, it is entirely unacceptable when
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the error impacts users outside of a local administration.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley When attempting to resolve a partial domain name, DNS resolvers use
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley the Domain Name of the searching host for deriving the search list.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Existing DNS resolvers do not distinguish the portion of that name
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley which is in the locally administered scope from the part that is
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley publically administered.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley At a minimum, DNS resolvers must honor the BOUNDARY between local and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley public administration, by limiting any search lists to locally-
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley administered portions of the Domain Name space. This requires a
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley parameter which shows the scope of the name space controlled by the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley local administrator.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This would permit progressive searches from the most qualified to
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley less qualified up through the locally controlled domain, but not
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley For example, if the local user were trying to reach:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley User@chief.admin.DESERTU.EDU from
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley it is reasonable to permit the user to enter just chief.admin, and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley for the search to cover:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley In this case, the value of "search" should be set to "DESERTU.EDU"
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley because that's the scope of the name space controlled by the local
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley DNS administrator.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This is more than a mere optimization hack. The local administrator
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley has control over the assignment of names within the locally
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley administered domain, so the administrator can make sure that
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley abbreviations result in the right thing. Outside of the local
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley control, users are necessarily at risk.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGavron [Page 3]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1535 DNS Software Enhancements October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley A more stringent mechanism is implemented in BIND 4.9.2, to respond
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to this problem:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The DNS Name resolver clients narrows its IMPLICIT search list IF ANY
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley to only try the first and the last of the examples shown.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Any additional search alternatives must be configured into the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley resolver EXPLICITLY.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley DNS Name resolver software SHOULD NOT use implicit search lists in
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley attempts to resolve partial names into absolute FQDNs other than the
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley hosts's immediate parent domain.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Resolvers which continue to use implicit search lists MUST limit
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley their scope to locally administered sub-domains.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley DNS Name resolver software SHOULD NOT come pre-configured with
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley explicit search lists that perpetuate this problem.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Further, in any event where a "." exists in a specified name it
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley should be assumed to be a fully qualified domain name (FQDN) and
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley SHOULD be tried as a rooted name first.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Example: Given user@a.b.c.d connecting to e.f.g.h only two tries
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley should be attempted as a result of using an implicit
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley search list:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Given user@a.b.c.d. connecting to host those same two
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley tries would appear as:
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Some organizations make regular use of multi-part, partially
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley qualified Domain Names. For example, host foo.loc1.org.city.state.us
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley might be used to making references to bar.loc2, or mumble.loc3, all
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley of which refer to whatever.locN.org.city.state.us
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley The stringent implicit search rules for BIND 4.9.2 will now cause
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley these searches to fail. To return the ability for them to succeed,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley configuration of the client resolvers must be changed to include an
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley explicit search rule for org.city.state.us. That is, it must contain
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley an explicit rule for any -- and each -- portion of the locally-
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley administered sub-domain that it wishes to have as part of the search
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGavron [Page 4]
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyRFC 1535 DNS Software Enhancements October 1993
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley RFC 1034, USC/Information Sciences Institute, November 1987.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [2] Mockapetris, P., "Domain Names Implementation and Specification",
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley STD 13, RFC 1035, USC/Information Sciences Institute, November
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 974, CSNET CIC BBN, January 1986.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [4] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley "Common DNS Implementation Errors and Suggested Fixes", RFC 1536,
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley USC/Information Sciences Institute, USC, October 1993.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley 1537, CWI, October 1993.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleySecurity Considerations
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley This memo indicates vulnerabilities with all too-forgiving DNS
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley clients. It points out a correction that would eliminate the future
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley potential of the problem.
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyAuthor's Address
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley ACES Research Inc.
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley PO Box 14546
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Tucson, AZ 85711
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley Phone: (602) 743-9841
c7ddab7655021d96211a26f99d9f694396c53284Bob Halley EMail: gavron@aces.com
c7ddab7655021d96211a26f99d9f694396c53284Bob HalleyGavron [Page 5]