Why depending on DNS Reverse resolution is badWed, 03 Apr 2013 - 18:10
I have been recently involved in a discussion about why I go around trying to stop applications from using and sometime even depending on DNS Reverse resolution (PTR records lookups).
There are 2 main reasons:
- In many networks you cannot really control the PTR records, so reverse resolution is simply broken
- Reverse resolution is bad when used for security protocols like GSSAPI
Let's start from the first point, which is easy to argue about. In a lot of cases the person setting up a service is not the same person controlling the DNS. Even more the DNS person/organization controlling the Forward Zone may not be at all the same one that controls the Reverse Zone.
This is true for the general internet usage (try asking your ISP to set a special PTR record for your residential public IP address ... laughs) but also for some corporate environments where the Network Ops may be so separate from the user installing a machine and rules to ask changes to DNS so complex that it is sometime simply too inconvenient to ask for changes, especially in temporary settings like Proof of Concept trials, etc.. This is not hypothetical, in my past life as consultant I've seen it all, and I can tell PTR records are broken more often than not.
So by this reason alone depending on a PTR record to obtain the actual name of a server is a pretty high bar and will inevitably be a barrier for adoption. It gets to silly levels if an application actually gets the 'right' name in input and then translates it into an IP only to attempt reverse resolution and fail. Users legitimately get pissed the app is so stupid as to throw away the name they just gave it. I just gave the name to you! Don't you see it!
It is surprising how many applications do this silly game when it comes with providing the target name to GSSAPI, which introduces the second point.
Why is it bad from a security point of view ? We understand that it is unfortunate for cases were reverse resolution is broken, but if reverse resolution is properly configured what is so bad depending on it ?
This is a little scenario I wrote up on the linux-nfs mailing list to explain how the fact rpc.gssd (the client that handles GSSAPI authentication on the kernel behalf in user space for the nfs client module) depends on reverse resolution can actually be exploited by an attacker.
Assume the following scenario:
- User Alice has access to secret documents that are automatically backed up daily by mounting a NFS share from secure.server.name
- Only Alice has write or read access to this server
- User Eve wants to get hold of those documents and is in a position to intercept and modify Alice's traffic
- There is a similar server available on the network that Alice has write access to called public.server.name
- Eve has read access on public.server.name
- The NFS servers use RPCSEC_GSS (Kerberos) to secure the communications and perform mutual authentication.
Note that Eve does not need to be controlling any of the servers, and it is sufficient for her to be able to spoof DNS replies.
Now the attack: Eve wants to fool Alice's computer to mount the public server's NFS share instead of the secure server one, so that the automatic backup job will copy Alice's secret documents to the public server where Eve has read access and can grab a copy.
Normally this is not possible, because the Kerberos protocol implies mutual authentication. Not only the user authenticates to a server by using a ticket, but the ticket is only usable by the right target server, therefore authentication fail if either the user or the server are not who they say they are.
In our case normally Alice will grab a ticket for email@example.com (GSSAPI Naming notation), which can be used exclusively to authenticate against the secure server. If Eve tries to redirect communication to the public server the authentication will fail because the public server is not able to decrypt the ticket.
However, rpc.gssd does a very bad thing(TM). When the client runs the mount command it uses the name provided on the command line to obtain the server's IP address, then ignores the fact we already have a name and proceeds to perform a reverse lookup to 'find' the server name.
What this means is that Eve can simply spoof the DNS to redirect Alice's computer to contact the wrong server and then later rpc.gssd will 'find' that the 'real' name of the server is public.server.name (Either because Eve spoofed the original forward resolution reply or by spoofing the reverse resolution reply later on).
Now Alice's computer will call into GSSAPI with the constructed name of firstname.lastname@example.org and when it connects to that server mutual authentication is successful because the ticket can be decrypted by the target server.
Eve just waits for Alice's computer to complete its backup on the wrong server on which she has read access, and grabs the documents.
This type of attack obviously is not limited to the NFS protocol but can be performed against any client that trusts DNS Reverse resolution to determine the target server's name. It is also not limited to GSSAPI, an SSL client might also be fooled the same way if it doesn't check the name that was provided in the URL but instead uses DNS Reverse resolution to validate the server certificate. Luckily I am not aware of any client doing that for HTTPS at least.
And that is all folks!