A Security Problem and Proposed Correction With Widely Deployed DNS Software
RFC 1535

Document Type RFC - Informational (October 1993; Errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1535 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          E. Gavron
Request for Comments: 1535                            ACES Research Inc.
Category: Informational                                     October 1993

              A Security Problem and Proposed Correction
                   With Widely Deployed DNS Software

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Abstract

   This document discusses a flaw in some of the currently distributed
   name resolver clients.  The flaw exposes a security weakness related
   to the search heuristic invoked by these same resolvers when users
   provide a partial domain name, and which is easy to exploit (although
   not by the masses).  This document points out the flaw, a case in
   point, and a solution.

Background

   Current Domain Name Server clients are designed to ease the burden of
   remembering IP dotted quad addresses.  As such they translate human-
   readable names into addresses and other resource records.  Part of
   the translation process includes understanding and dealing with
   hostnames that are not fully qualified domain names (FQDNs).

   An absolute "rooted" FQDN is of the format {name}{.} A non "rooted"
   domain name is of the format {name}

   A domain name may have many parts and typically these include the
   host, domain, and type.  Example:  foobar.company.com or
   fooschool.university.edu.

Flaw

   The problem with most widely distributed resolvers based on the BSD
   BIND resolver is that they attempt to resolve a partial name by
   processing a search list of partial domains to be added to portions
   of the specified host name until a DNS record is found.  This
   "feature" is disabled by default in the official BIND 4.9.2 release.

   Example: A TELNET attempt by    User@Machine.Tech.ACES.COM
                             to    UnivHost.University.EDU

Gavron                                                          [Page 1]
RFC 1535               DNS Software Enhancements            October 1993

   The resolver client will realize that since "UnivHost.University.EDU"
   does not end with a ".", it is not an absolute "rooted" FQDN.  It
   will then try the following combinations until a resource record is
   found:

                UnivHost.University.EDU.Tech.ACES.COM.
                UnivHost.University.EDU.ACES.COM.
                UnivHost.University.EDU.COM.
                UnivHost.University.EDU.

Security Issue

   After registering the EDU.COM domain, it was discovered that an
   unliberal application of one wildcard CNAME record would cause *all*
   connects from any .COM site to any .EDU site to terminate at one
   target machine in the private edu.com sub-domain.

   Further, discussion reveals that specific hostnames registered in
   this private subdomain, or any similarly named subdomain may be used
   to spoof a host.

        Example:        harvard.edu.com.        CNAME   targethost

   Thus all connects to Harvard.edu from all .com sites would end up at
   targthost, a machine which could provide a Harvard.edu login banner.

   This is clearly unacceptable.  Further, it could only be made worse
   with domains like COM.EDU, MIL.GOV, GOV.COM, etc.

Public vs. Local Name Space Administration

   The specification of the Domain Name System and the software that
   implements it provides an undifferentiated hierarchy which permits
   delegation of administration for subordinate portions of the name
   space.  Actual administration of the name space is divided between
   "public" and "local" portions.  Public administration pertains to all
   top-level domains, such as .COM and .EDU.  For some domains, it also
   pertains to some number of sub-domain levels.  The multi-level nature
   of the public administration is most evident for top-level domains
   for countries.  For example in the Fully Qualified Domain Name,
   dbc.mtview.ca.us., the portion "mtview.ca.us" represents three levels
   of public administration.  Only the left-most portion is subject to
   local administration.

Gavron                                                          [Page 2]
RFC 1535               DNS Software Enhancements            October 1993

   The danger of the heuristic search common in current practise is that
   it it is possible to "intercept" the search by matching against an
   unintended value while walking up the search list.  While this is
   potentially dangerous at any level, it is entirely unacceptable when
   the error impacts users outside of a local administration.

   When attempting to resolve a partial domain name, DNS resolvers use
Show full document text