Linux & IPv6: getaddrinfo and search domains - Research
Version: 0.01 from 2006-08-27
Copyright 2006 by Peter Bieringer <pb@bieringer.de>,
original site of publishing: http://www.bieringer.de/linux/IPv6/
Unlimited non-commercial distribution of this document in its entirety
is encouraged - please contact the author prior to commercial
publication.
Suggestions, comments and improvements are welcome!
Problem description
Different implementation of use
of search domains in the resolver library can lead to return of
unexpected addresses using getaddrinfo library function.
Scenario: application wants to connect to www.redhat.com port 80 using
getaddrinfo resolver function.
Behavior of certain operating systems: in case of search domains
are used getaddrinfo can return IPv6 and IPv4 addresses of different
hosts
Example: getaddrinfo returns:
fec0::2 (www.redhat.com.2.getaddrinfo.bieringer.de)
209.132.177.50 (www.redhat.com)
Security impact: if application prefers IPv6 connect, it tries to
connect to the wrong hostname, used e.g. for man-in-the-middle attacks
Privacy impact: unnecessary AAAA query are made to DNS servers
authoritative for search domains, this can be used for tracking
It looks like that it is nowhere proper defined (e.g. in an RFC), when
and how search domains are used for lookups.
I've created a "reference" implementation in Perl (getaddrinfo-reference.pl), which
works like administrators (at least me) would expect queries and
results.
See also:
Summary
Table below shows a summary about the research results.
Operating System
|
Version
|
Unexpected use of search domains
(1)
|
Unexpected connect to address
returned by unexpected use of search domain (2)
|
Comments
|
FreeBSD
|
6.1
|
no
|
n/a,
because no unexpected use was seen at all
|
|
Linux (using glibc)
|
Fedora Core 5
|
yes
|
yes
|
|
Microsoft Windows
|
XP SP2
|
yes
|
no
|
|
Sun Solaris
|
10 U2
|
yes
|
yes
|
|
(1) search domains are used during lookup, but unexpected, because
normally not needed
(2) address(es) returned during unexpected lookups are preferred and
connected first
Research
Next you will see the result of some major operating systems (feel free
to contribute missing ones, e.g. AIX, Linux using dietlibc)
Test configuration
Prerequirements
- Working IPv4 and IPv6 connectivity to global Internet
# ping www.bieringer.de
# ping6 www.ipv6.bieringer.de
> ping www.bieringer.de
> ping6 www.ipv6.bieringer.de
# ping www.bieringer.de
# ping www.ipv6.bieringer.de
- Working DNS resolution
- Test for successful resolution:
# dig +short any test.2.getaddrinfo.bieringer.de
fec0::2
"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"
# dig +short any test.3.getaddrinfo.bieringer.de
127.0.0.3
"*.3.getaddrinfo.bieringer.de has A and a TXT record"
# dig +short any test.2g.getaddrinfo.bieringer.de
2001:db8::2
"*.2g.getaddrinfo.bieringer.de has AAAA and a TXT record"
- Microsoft Windows XP
(sorry, only German language available here)
>nslookup -q=any test.2.getaddrinfo.bieringer.de.
Server: router
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.2.getaddrinfo.bieringer.de AAAA IPv6 address = fec0::2
test.2.getaddrinfo.bieringer.de text =
"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
>nslookup -q=any test.2g.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.2g.getaddrinfo.bieringer.de AAAA IPv6 address = 2001:db8::2
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
>nslookup -q=any test.3.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.3.getaddrinfo.bieringer.de internet address = 127.0.0.3
test.3.getaddrinfo.bieringer.de text =
"*.3.getaddrinfo.bieringer.de has A and a TXT record"
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
Test scenario
- Add following search domains to resolver configuration
- Linux, FreeBSD, Solaris
- Microsoft Windows XP
- Start -> Settings -> System Control -> Network
Connections -> LAN Connection -> Properties -> TCP/IP ->
Additional -> DNS -> Append DNS Suffix
(I've used "2g", because it's not easy to see connects using "telnet"
easily)
2g.getaddrinfo.bieringer.de
3.getaddrinfo.bieringer.de
- Add an additional site-local IPv6 address to local interface
- Linux
(using device "eth0")
# ip addr add fec0::2/64 dev eth0
- FreeBSD
(using device "lnc0" [VMware])
# ifconfig lnc0 inet6 fec0::2/64
- Connect to a web server using command line
# telnet www.redhat.com 80
# telnet www.bieringer.de 80
Results
FreeBSD
Version
freebsd# uname -a
FreeBSD freebsd 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
Result
# telnet www.redhat.com 80
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
Related TCPdump
14:22:58.321637 IP 192.0.2.247.54510 > 192.0.2.1.domain: 34720+ A? www.redhat.com. (32) OK
14:22:58.378958 IP 192.0.2.1.domain > 192.0.2.247.54510: 34720 1/3/3 A 209.132.177.50 (150)
14:22:58.379770 IP 192.0.2.247.64705 > 192.0.2.1.domain: 34721+ AAAA? www.redhat.com. (32) OK
14:22:58.381385 IP 192.0.2.1.domain > 192.0.2.247.64705: 34721 0/0/0 (32)
14:24:52.323505 IP 192.0.2.247.56440 > 192.0.2.1.domain: 31319+ A? www.bieringer.de. (34) OK
14:24:52.368232 IP 192.0.2.1.domain > 192.0.2.247.56440: 31319 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:24:52.369093 IP 192.0.2.247.64067 > 192.0.2.1.domain: 31320+ AAAA? www.bieringer.de. (34) OK
14:24:52.415152 IP 192.0.2.1.domain > 192.0.2.247.64067: 31320 2/2/3 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (215)
Conclusion
Proper implementation, no use of search domains, because there is no
need for additional lookups.
Linux
Version
Distribution: Fedora Core 5
Kernel: kernel-2.6.17-1.2174_FC5
Glibc: glibc-2.4-8
# uname -a
Linux linux-fedoracore-5 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55 EDT 2006 i686 athlon i386 GNU/Linux
Result
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.de.
Escape character is '^]'.
Related TCPdump
14:13:43.423021 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 62386+ AAAA? www.redhat.com. (32) OK
14:13:43.478981 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 62386 0/1/0 (76)
14:13:43.479385 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 28035+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
14:13:43.480718 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 28035 1/0/0 AAAA fec0::2 (87)
14:13:43.481164 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 38827+ A? www.redhat.com. (32) OK
14:13:43.538489 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 38827 1/3/3 A 209.132.177.50 (150)
14:26:10.295730 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 65370+ AAAA? www.bieringer.de. (34) OK
14:26:10.297302 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 65370 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:26:10.297719 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 62122+ A? www.bieringer.de. (34) OK
14:26:10.299189 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 62122 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
Conclusion
No proper implementation, behavior can lead to a connection to
unexpected IPv6 address.
getaddrinfo can return addresses of different hosts to application.
Microsoft Windows XP
Version
Windows XP SP2
Result
> telnet www.redhat.com 80
> telnet www.bieringer.de 80
Related TCPdump
15:11:50.978326 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 57811+ AAAA? www.redhat.com. (32) OK
15:11:51.040163 IP 192.0.2.1.domain > 192.0.2.167.iad1: 57811 0/1/0 (76)
15:11:51.041039 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 32468+ AAAA? www.redhat.com.2g.getaddrinfo.bieringer.de. (60) Unexpected and not needed at all
15:11:51.086047 IP 192.0.2.1.domain > 192.0.2.167.iad1: 32468 1/1/2 AAAA 2001:db8::2 (149)
15:11:51.089207 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 2006+ A? www.redhat.com. (32) OK
15:11:51.147964 IP 192.0.2.1.domain > 192.0.2.167.iad1: 2006 1/3/3 A 209.132.177.50 (150)
15:11:51.228869 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.228886 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.295876 IP 192.0.2.1.domain > 192.0.2.167.ardus-mtrns: 1 1/3/3 PTR www.redhat.com. (175)
15:11:53.231724 IP 192.0.2.167.ardus-cntl > 209.132.177.50.http: S 2241857364:2241857364(0) win 64240 <mss 1460,nop,nop,sackOK>
14:53:42.458714 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 44822+ AAAA? www.bieringer.de. (34) OK
14:53:42.460346 IP 192.0.2.1.domain > 192.0.2.167.iad1: 44822 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:53:42.463487 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 9749+ A? www.bieringer.de. (34) OK
14:53:42.535330 IP 192.0.2.1.domain > 192.0.2.167.iad1: 9749 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:53:42.538728 IP6 2001:db8:1:1:e4bc:322a:a601:2345.1027 > 2001:a60:9002:1::186:3.http: S 2374075490:2374075490(0) win 16384 <mss 1432>
Conclusion
No proper implementation, but looks like an internal mechanism prevents
connection to unexpected IPv6 address and prefers IPv4 address.
Solaris 10
Version
Solaris 10 U2
# uname -a
SunOS solaris10 5.10 Generic_118855-14 i86pc i386 i86pc
Result
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
Related TCPdump
18:13:18.683051 IP 192.0.2.235.32833 > 192.0.2.1.domain: 57476+ AAAA? www.redhat.com. (32) OK
18:13:19.121853 IP 192.0.2.1.domain > 192.0.2.235.32833: 57476 0/1/0 (76)
18:13:19.123030 IP 192.0.2.235.32834 > 192.0.2.1.domain: 57477+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
18:13:19.124519 IP 192.0.2.1.domain > 192.0.2.235.32834: 57477 1/0/0 AAAA fec0::2 (87)
18:13:19.125859 IP 192.0.2.235.32835 > 192.0.2.1.domain: 57478+ A? www.redhat.com. (32) OK
18:13:19.182860 IP 192.0.2.1.domain > 192.0.2.235.32835: 57478 1/3/3 A 209.132.177.50 (150)
18:13:19.189621 IP 192.0.2.235.32846 > 209.132.177.50.http: S 371870147:371870147(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:51:50.705531 IP 192.0.2.235.32815 > 192.0.2.1.domain: 21181+ AAAA? www.bieringer.de. (34) OK
18:51:50.751282 IP 192.0.2.1.domain > 192.0.2.235.32815: 21181 2/2/1 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (171) OK
18:51:50.755295 IP 192.0.2.235.32816 > 192.0.2.1.domain: 21182+ A? www.bieringer.de. (34) OK
18:51:50.756998 IP 192.0.2.1.domain > 192.0.2.235.32816: 21182 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
18:51:50.769879 IP6 2001:db8:1:1:20c:29ff:fe01:2345.32798 > 2001:a60:9002:1::186:3.http: S 932233757:932233757(0) win 50120 <mss 1432,nop,wscale 0,nop,nop,sackOK>
Conclusion
No proper implementation, behavior can lead to a connection to
unexpected IPv6 address (same happen as on Linux).
During tests it was also found that in case there is no global scope
address locally assigned, Solaris tries to connect to a global
destination address using site-local as source address.