New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
search domains do not apply to dotted names #4821
Comments
This is an explicit design decision, following the logic of LLMNR and suchlike, that single-label names follow different rules than multi-label names. By strictly saying that they are different we remove ambiguity regarding resolving: if something has a dot, it's an fqdn, if not it's to be seen in a local scope, and queried via llmnr or via search domains. This makes things very clear for both the resolver and as well as for the user: there's no ambiguity what happens when he types a hostname into his web browser: if he types in anything with more than one label, the user knows it ends up on the internet, and hence returns a global resource's address. If he types in something with only one label, then he knows it is resolved within local scope, meaning either via LLMNR or via DHCP supplied, LAN-specific search domains, or via some other means. Honouring searching domains for multi-label names is simply a big security problem I think, as today the most famous websites all are usually accessed via a two-label name (like for example github: if you look in the URL bar, it is a two-label name). If the user never knows whether "spiegel.de" ends up in the local search domain logic or not then that's a primary security problem, and can be exploited remotely (simply by providing search domains via DHCP and then providing a link). Potentially routing traffic for all such multi-label domains through a search domain is highly problematic. Resolving multi-label names via the search list is also kinda incompatible with DNSSEC as that's supposed to validate the name the user types the way it was type in. I think this bahaviour is also in line with the general trend how the internet bodies see that, for example the fight against "dotless domains" (google for it...), i.e. servers that are reachable via single-label domains via DNS. It's kinda the other side of the medal: make sure the Internet DNS servers never resolve addresses under single-label names, even if clients ask for it. All that work is to make it very clear that single-label names go one way, and multi-label domains another way, and that there should not be ambiguities inbetween. Also note that glibc requires manual reconfiguration to actually honour this, and I am pretty sure almost nobody will do that. All that together makes very reluctant to do anything about this. This appears very much a legacy concept that does not have a place in an Internet where DNSSEC is the norm, and local networks where LLMNR is typical. Yes, we are breaking some setups which relied on that, but quite frankly given that these are highly localized setups only (as you cannot serve such a DNS configuration via DHCP for example), I am very sure this is an egg that is worth breaking to make an omelette. Sorry if this is disappointing! |
Not disappointing to me personally actually, my gut feeling actually agrees. It's just a rather obvious behaviour change compared to glibc's resolver, so I wanted to at least report it. So I guess we can/should close this? |
Yupp. Thank you for your understanding! |
Hi, This thread seems like 2 guys making a design decision that breaks many peoples every day system. Do these things break on Windows and MacOS? NO! I am specifically talking about these two bugs now: How about we think about how we facilitate the old behavior with the new design? Let's bundle our efforts to have actual end products like Operatings system in a certain bundle WORK. If that means disabling systemd-resolvd, fine, lets's do it by default. Otherwise, let us think about the proper way of dealing with an between situation of a hopefully more safe future internet. |
Not sure if this would be acceptable, but one possibility would be to allow adding a trailing dot to the query, which would make it go through search domains? It would get rid of the ambiguity, even if a http://name.home./ URL could potentially look weird. So single-label and trailing-dot queries would go through search domains (and only through search domains), no others would. FWIW, single-label names with a trailing dot do resolve today with libnss-resolve:
If this is not acceptable, then the above itself should probably be a bug. An argument for the original behaviour is that it allowed for reaching easily (and explicitly) across subdomains, when you had |
I'd actually expect names ending in a dot to not go through search domains, since they are fully qualified (the DNS equivalent of an absolute path in the filesystem). |
Yes, the trailing dot is usually indication that the name is final and should not be subject to search domain extension |
FYI, RFC3397 DHCP Domain Search Option section 4 (Security Considerations) item [2] specifically recommends:
|
Adding a comment to this: "Honouring searching domains for multi-label names is simply a big security problem" That may be so, in some setups, under certain conditions. It is however the responsibility of the system administrator to manage this correctly for his setup. You're not only removing this ability from the default setup of several distros, you're also removing the ability for a system administrator to explicitly choose the functionality he needs. I see no reason at all why you should override the RFC, and break default setups , because you personally believe it could be a problem in certain constructed scenarios. To illustrate more clearly what I think you're doing - exaggerated, i know, but it's just an illustration. Would you react if a developer decided that all passwords must be 16 chars in the default PAM setup of a distro? What if the developer then also decided that you cannot change this config, because it's more secure - if you want PAM, your passwords must be 16 chars? I have a practical use for hosts like "proxy.ops", "nginx1.web", "syslog.ops". Now, for my setups I'll of course just replace systemd-resolved with another resolution mechanism across all hosts. That's a waste of time, and yet more deviation from default install that must be maintained, due to a "we-know-best" decision that sounds more like something Apple or MS would impose on users. |
Okay. I'm going to register nginx1.web soon (as you should know it becomes a top level domain).. Whats going to happen then?
Oops. Sorry, but @poettering is completely right here. If something is broken like that it's better to remove it (even if it breaks other setups relying on broken standards) than to keep it as dirty as it is. |
This is a very disappointing! If i have big company with wide departments structure, i cannot implement normal understandable politic for names. For purpose wich you talk about, people was come up with the difference between the two type (n/fqdn) by pointing dot at the end of name. This is a very right comfortable decision. Why reinvent wheel or act as Windows developers, especially since glibc support this. |
It seems like a better choice would be to make dotted labels resolvable with search domains by a configuration option, and have it deprecated from the outset. The documentation for that option could cite these security concerns. Using it could emit a warning to the Patching the security hole by default is great, breaking systems without warning is not. |
I do not follow this issue. So, I am not sure, but |
@yuwata I think that option is so that a query like |
As a system administrator I would like to be able to enforce the following behaviour:-
Alas in reality this is nigh-on impossible because pretty much all software and configurations provide domains as unqualified. |
I am a user and I disagree. Also the discussion above clearly shows that there is no such consensus amongst users. I suggest to stick to what RFC says. |
Submission type
systemd version the issue has been seen with
Used distribution
I got a downstream report about resolved's handling of search domains: glibc in no way restricts application of search domains to "single" (undotted) labels, it always applies the search domains. It has an
ndots
options below which it forces appending a search domain, but that does not mean that it skips search expansion for queries with more thanndots
dots.E. g. if you have
Domains=example.com
then a lookup offor.bar
ought to try and queryfoo.bar.example.com
.I wrote a test case that reproduces this bug.
My first naïve approach was to just change
dns_scope_name_needs_search_domain()
to always returntrue
instead ofreturn dns_name_is_single_label(name);
. This makes search expansion work, but then breaks queries which already provide a fully qualified host name. I tried to fix that indns_query_add_candidate()
but it seems its current approach is a bit too simplistic.The text was updated successfully, but these errors were encountered: