RFC 1535 (rfc1535) - Page 1 of 5
A Security Problem and Proposed Correction With Widely Deployed DNS Software
Alternative Format: Original Text Document
Network Working Group E. Gavron
Request for Comments: 1535 ACES Research Inc.
Category: Informational October 1993
A Security Problem and Proposed Correction
With Widely Deployed DNS Software
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard. Distribution of this memo is
unlimited.
Abstract
This document discusses a flaw in some of the currently distributed
name resolver clients. The flaw exposes a security weakness related
to the search heuristic invoked by these same resolvers when users
provide a partial domain name, and which is easy to exploit (although
not by the masses). This document points out the flaw, a case in
point, and a solution.
Background
Current Domain Name Server clients are designed to ease the burden of
remembering IP dotted quad addresses. As such they translate human-
readable names into addresses and other resource records. Part of
the translation process includes understanding and dealing with
hostnames that are not fully qualified domain names (FQDNs).
An absolute "rooted" FQDN is of the format {name}{.} A non "rooted"
domain name is of the format {name}
A domain name may have many parts and typically these include the
host, domain, and type. Example: foobar.company.com or
fooschool.university.edu.
Flaw
The problem with most widely distributed resolvers based on the BSD
BIND resolver is that they attempt to resolve a partial name by
processing a search list of partial domains to be added to portions
of the specified host name until a DNS record is found. This
"feature" is disabled by default in the official BIND 4.9.2 release.
Example: A TELNET attempt by User@Machine.Tech.ACES.COM
to UnivHost.University.EDU
Gavron
