IPv6  

Linux & IPv6: getaddrinfo and search domains - Research



Version: 0.01 from 2006-08-27
Copyright 2006 by Peter Bieringer <pb@bieringer.de>, original site of publishing: http://www.bieringer.de/linux/IPv6/
Unlimited non-commercial distribution of this document in its entirety is encouraged - please contact the author prior to commercial publication.
Suggestions, comments and improvements are welcome!


Problem description

Different implementation of use of search domains in the resolver library can lead to return of unexpected addresses using getaddrinfo library function.

Scenario: application wants to connect to www.redhat.com port 80 using getaddrinfo resolver function.
Behavior of  certain operating systems: in case of search domains are used getaddrinfo can return IPv6 and IPv4 addresses of different hosts
Example: getaddrinfo returns:
fec0::2 (www.redhat.com.2.getaddrinfo.bieringer.de)
209.132.177.50 (www.redhat.com)
Security impact: if application prefers IPv6 connect, it tries to connect to the wrong hostname, used e.g. for man-in-the-middle attacks
Privacy impact: unnecessary AAAA query are made to DNS servers authoritative for search domains, this can be used for tracking

It looks like that it is nowhere proper defined (e.g. in an RFC), when and how search domains are used for lookups.
I've created a "reference" implementation in Perl (getaddrinfo-reference.pl), which works like administrators (at least me) would expect queries and results.

See also:

Summary

Table below shows a summary about the research results.

Operating System
Version
Unexpected use of search domains (1)
Unexpected connect to address returned by unexpected use of search domain (2)
Comments
FreeBSD
6.1
no
n/a, because no unexpected use was seen at all

Linux (using glibc)
Fedora Core 5
yes
yes

Microsoft Windows
XP SP2
yes
no

Sun Solaris
10 U2
yes
yes


(1) search domains are used during lookup, but unexpected, because normally not needed
(2) address(es) returned during unexpected lookups are preferred and connected first

Research

Next you will see the result of some major operating systems (feel free to contribute missing ones, e.g. AIX, Linux using dietlibc)

Test configuration

Prerequirements

# ping www.bieringer.de
# ping6 www.ipv6.bieringer.de
> ping www.bieringer.de
> ping6 www.ipv6.bieringer.de
# ping www.bieringer.de

# ping www.ipv6.bieringer.de
# dig +short any test.2.getaddrinfo.bieringer.de
fec0::2
"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"

# dig +short any test.3.getaddrinfo.bieringer.de
127.0.0.3
"*.3.getaddrinfo.bieringer.de has A and a TXT record"

# dig +short any test.2g.getaddrinfo.bieringer.de
2001:db8::2
"*.2g.getaddrinfo.bieringer.de has AAAA and a TXT record"
>nslookup -q=any  test.2.getaddrinfo.bieringer.de.
Server: router
Address: 192.0.2.1

Nicht autorisierte Antwort:
test.2.getaddrinfo.bieringer.de AAAA IPv6 address = fec0::2
test.2.getaddrinfo.bieringer.de text =

"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"

getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1

>nslookup -q=any test.2g.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1

Nicht autorisierte Antwort:
test.2g.getaddrinfo.bieringer.de AAAA IPv6 address = 2001:db8::2

getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1

>nslookup -q=any test.3.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1

Nicht autorisierte Antwort:
test.3.getaddrinfo.bieringer.de internet address = 127.0.0.3
test.3.getaddrinfo.bieringer.de text =

"*.3.getaddrinfo.bieringer.de has A and a TXT record"

getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1

Test scenario

2g.getaddrinfo.bieringer.de
3.getaddrinfo.bieringer.de
# ip addr add fec0::2/64 dev eth0
# ifconfig lnc0 inet6 fec0::2/64
# telnet www.redhat.com 80
# telnet www.bieringer.de 80

Results

FreeBSD

Version
freebsd# uname -a
FreeBSD freebsd 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:32:43 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
Result
# telnet www.redhat.com 80
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.

# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
Related TCPdump
14:22:58.321637 IP 192.0.2.247.54510 > 192.0.2.1.domain:  34720+ A? www.redhat.com. (32) OK
14:22:58.378958 IP 192.0.2.1.domain > 192.0.2.247.54510: 34720 1/3/3 A 209.132.177.50 (150)
14:22:58.379770 IP 192.0.2.247.64705 > 192.0.2.1.domain: 34721+ AAAA? www.redhat.com. (32) OK
14:22:58.381385 IP 192.0.2.1.domain > 192.0.2.247.64705: 34721 0/0/0 (32)
14:24:52.323505 IP 192.0.2.247.56440 > 192.0.2.1.domain: 31319+ A? www.bieringer.de. (34) OK
14:24:52.368232 IP 192.0.2.1.domain > 192.0.2.247.56440: 31319 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:24:52.369093 IP 192.0.2.247.64067 > 192.0.2.1.domain: 31320+ AAAA? www.bieringer.de. (34) OK
14:24:52.415152 IP 192.0.2.1.domain > 192.0.2.247.64067: 31320 2/2/3 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (215)
Conclusion
Proper implementation, no use of search domains, because there is no need for additional lookups.

Linux

Version
Distribution: Fedora Core 5
Kernel: kernel-2.6.17-1.2174_FC5
Glibc: glibc-2.4-8
# uname -a
Linux linux-fedoracore-5 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55 EDT 2006 i686 athlon i386 GNU/Linux
Result
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.

# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.de.
Escape character is '^]'.
Related TCPdump
14:13:43.423021 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain:  62386+ AAAA? www.redhat.com. (32) OK
14:13:43.478981 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa:  62386 0/1/0 (76)
14:13:43.479385 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain:  28035+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
14:13:43.480718 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa:  28035 1/0/0 AAAA fec0::2 (87)
14:13:43.481164 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain:  38827+ A? www.redhat.com. (32) OK
14:13:43.538489 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa:  38827 1/3/3 A 209.132.177.50 (150)

14:26:10.295730 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 65370+ AAAA? www.bieringer.de. (34) OK
14:26:10.297302 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 65370 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:26:10.297719 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 62122+ A? www.bieringer.de. (34) OK
14:26:10.299189 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 62122 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
Conclusion
No proper implementation, behavior can lead to a connection to unexpected IPv6 address.
getaddrinfo can return addresses of different hosts to application.

Microsoft Windows XP

Version
Windows XP SP2
Result
> telnet www.redhat.com 80

> telnet www.bieringer.de 80
Related TCPdump
15:11:50.978326 IP 192.0.2.167.iad1 > 192.0.2.1.domain:  57811+ AAAA? www.redhat.com. (32) OK
15:11:51.040163 IP 192.0.2.1.domain > 192.0.2.167.iad1: 57811 0/1/0 (76)
15:11:51.041039 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 32468+ AAAA? www.redhat.com.2g.getaddrinfo.bieringer.de. (60) Unexpected and not needed at all
15:11:51.086047 IP 192.0.2.1.domain > 192.0.2.167.iad1: 32468 1/1/2 AAAA 2001:db8::2 (149)
15:11:51.089207 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 2006+ A? www.redhat.com. (32) OK
15:11:51.147964 IP 192.0.2.1.domain > 192.0.2.167.iad1: 2006 1/3/3 A 209.132.177.50 (150)
15:11:51.228869 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.228886 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.295876 IP 192.0.2.1.domain > 192.0.2.167.ardus-mtrns: 1 1/3/3 PTR www.redhat.com. (175)
15:11:53.231724 IP 192.0.2.167.ardus-cntl > 209.132.177.50.http: S 2241857364:2241857364(0) win 64240 <mss 1460,nop,nop,sackOK>

14:53:42.458714 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 44822+ AAAA? www.bieringer.de. (34) OK
14:53:42.460346 IP 192.0.2.1.domain > 192.0.2.167.iad1: 44822 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:53:42.463487 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 9749+ A? www.bieringer.de. (34) OK
14:53:42.535330 IP 192.0.2.1.domain > 192.0.2.167.iad1: 9749 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:53:42.538728 IP6 2001:db8:1:1:e4bc:322a:a601:2345.1027 > 2001:a60:9002:1::186:3.http: S 2374075490:2374075490(0) win 16384 <mss 1432>
Conclusion
No proper implementation, but looks like an internal mechanism prevents connection to unexpected IPv6 address and prefers IPv4 address.

Solaris 10

Version
Solaris 10 U2
# uname -a
SunOS solaris10 5.10 Generic_118855-14 i86pc i386 i86pc
Result
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
Related TCPdump
18:13:18.683051 IP 192.0.2.235.32833 > 192.0.2.1.domain:  57476+ AAAA? www.redhat.com. (32) OK
18:13:19.121853 IP 192.0.2.1.domain > 192.0.2.235.32833: 57476 0/1/0 (76)
18:13:19.123030 IP 192.0.2.235.32834 > 192.0.2.1.domain: 57477+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
18:13:19.124519 IP 192.0.2.1.domain > 192.0.2.235.32834: 57477 1/0/0 AAAA fec0::2 (87)
18:13:19.125859 IP 192.0.2.235.32835 > 192.0.2.1.domain: 57478+ A? www.redhat.com. (32) OK
18:13:19.182860 IP 192.0.2.1.domain > 192.0.2.235.32835: 57478 1/3/3 A 209.132.177.50 (150)
18:13:19.189621 IP 192.0.2.235.32846 > 209.132.177.50.http: S 371870147:371870147(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK>

18:51:50.705531 IP 192.0.2.235.32815 > 192.0.2.1.domain: 21181+ AAAA? www.bieringer.de. (34) OK
18:51:50.751282 IP 192.0.2.1.domain > 192.0.2.235.32815: 21181 2/2/1 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (171) OK
18:51:50.755295 IP 192.0.2.235.32816 > 192.0.2.1.domain: 21182+ A? www.bieringer.de. (34) OK
18:51:50.756998 IP 192.0.2.1.domain > 192.0.2.235.32816: 21182 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
18:51:50.769879 IP6 2001:db8:1:1:20c:29ff:fe01:2345.32798 > 2001:a60:9002:1::186:3.http: S 932233757:932233757(0) win 50120 <mss 1432,nop,wscale 0,nop,nop,sackOK>
Conclusion
No proper implementation, behavior can lead to a connection to unexpected IPv6 address (same happen as on Linux).
During tests it was also found that in case there is no global scope address locally assigned, Solaris tries to connect to a global destination address using site-local as source address.


Your connection is via: IPv4
Your address: 54.87.72.90
IPv6 Ready Interest in sending a
donation
to the author?
www.bieringer.de
is maintained by
webmaster at bieringer dot de
(Impressum)
powered by Apache HTTP server powered by Linux IPv6 connectivity is provided by
SixXS