Subj : The Open Root Server Confederation To : Rich Wonneberger From : Jonathan de Boyne Pollard Date : Wed Mar 14 2001 04:09 pm >> Have a peek at http://support.open-rsc.org./How_To/OS2/ . RW> Fhould there be a '.' after the org?? org./ RW> ^ Yes. It prevents impersonation. Here's an example of how such impersonation occurs. Posit: Your local domain name is "rich.wonneberger.person." and you are looking up the address of "www.ibm.com" (*without* the dot). The DNS client library (TCP32DLL.DLL) supplied by IBM with OS/2 implements the usual BIND domain search algorithm, whereby to any name that is being looked up it appends successively shorter substrings of your local domain name until a lookup succeeds. (This happens with *any* name, including names with more than one label in them.) This is because a strict reading of the RFCs tells one that names not ending with a dot are *not*, in fact, in fully qualified form. The DNS proper only deals with fully qualified names. So unqualified names reeived from applications have to be converted to fully qualified form by the DNS client library before being passed to the DNS proper. Appending substrings of your local domain name is one way of converting an unqualified name into a fully qualified one, and is the way that BIND's DNS client library chooses to use. (You can also explicitly specify a search path.) So the BIND DNS client library looks up, in order, the names 1. "www.ibm.com.rich.wonneberger.person." 2. "www.ibm.com.wonneberger.person." 3. "www.ibm.com.person." 4. "www.ibm.com." If you crank up either of the caching proxy servers (DNSRCPD or DNSFCPD) from my DNS Utilities, point the BIND DNS client library at them, and *don't* install the replacement TCP32DLL.DLL, you can watch this happening in the log output. Now suppose that some enterprising chap has gone to the "person." registry and registered the domain "com.person." to himself. He owns everything below "com.person." and can quite legitimately set up a host with the name "www.ibm" within his domain. All of a sudden, the third search succeeds. *You* think that you have the address of IBM's web server. But in fact because you used an unqualified name and the BIND DNS client library you have the address of this chap's machine instead. If he were to create more names within his domain, such as (say) "www.altavista", "www.amazon", and "www.ebay", all pointing to his machine, and run an HTTP server on it, then as far as anyone within the "person." domain (that used BIND's DNS client library) was concerned, he could pretend to be any "com." site at all. There are two ways to prevent impersonation of this sort. The first way is to alter the way that names are converted to fully-qualified form by the DNS client library. This can be done by replacing the BIND DNS client library with something else, that doesn't use BIND's search path scheme. My DNS Utilities come with an optional replacement DNS client library that performs name qualification according to a user-configurable set of regular expression pattern matching and replacement rules, rather than using a search path. The following command sets up a very minimal ruleset that simply appends a dot to any names not already ending with a dot: [C:\]echo ^^(.*[^^.])$ \1. > \TAU\Config\Apps\JdeBP\DNS\Qual.CFG This converts "support.open-rsc.org" directly to "support.open-rsc.org.". (It's worth noting, incidentally, that Microsoft's DNS client library for Windows, which isn't a port of BIND (whereas IBM's DNS client library for OS/2 is), doesn't copy BIND's search path scheme either. Score one point for Microsoft.) The second way is to always supply names in fully qualified form in the first place. The name "support.open-rsc.org." won't need converting to fully qualified form. It is in fully qualified form *already*. So the BIND DNS client library doesn't use its search path with such a name, and the above method of impersonation does not succeed. ¯ JdeBP ® --- FleetStreet 1.22 NR * Origin: JdeBP's point, using Squish (1:109/921.70) .