[systemd-devel] Setting UseDomains=yes by default DHCP

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Mon May 18 05:26:26 PDT 2015


On Thu, Aug 14, 2014 at 01:27:19PM +0200, Tom Gundersen wrote:
> On Thu, Aug 14, 2014 at 1:11 PM, Lennart Poettering
> <lennart at poettering.net> wrote:
> >
> > UseDomain= should have the effect of adding the domains from dhcp option
> > 15 and 119 to the list of domains for the interface. And
> > sd_network_get_link_domains() should then return a single list, of
> > deduplicated entries, with the domains specified in Domains= first, and
> > then the dhcp domains possible added in at the end.
> >
> > Zbigniew, I think this simplification would be beneficial, as I really
> > don't see the need to make the search vs. route domain thing
> > configurable....
> >
> > Tom, what's your take on all of this?
> 
> 
> Sorry for taking forever to answer to this thread. I have been going
> back and forth in my mind about how this should look.
> 
> I think in the end I essentially agree with Lennart's last suggestion.
> Let's make this dead-simple and collapse the search/route domains for
> each link into a single list. I think this is fine given that we
> restrict the search behaviour to single-labels.

Sorry for taking forever to answer to this thread. I have been going
back and forth in my mind about how this should look. ;)

I now agree with what Lennart proposed too. This is partially implemented
now, and with UseDomains=yes, option 15 is used to to set 'search' field.

I think we should go a step further, and set UseDomains=yes by default,
to have 'search' populated in /etc/resolv.conf. I think the security
reservations are overstated:
iiuc, the concern was that multi-level domain names (i.e. those with at least
one dot) could be spoofed by controlling the search suffix. But for
names with at least two levels glibc only uses the search list as a fallback.
So to mount a successful spoof, the attacker needs to
a) control the dhcp server domain option to return a domain under attacker control
b) arrange for the user to resolve an invalid domain name

Considering that the attack can only work for domain names which would
not resolve otherwise, and requires either a misconfigured dhcp server
or control of some dns server, this doesn't seem very serious. After all,
there are more direct avenues of attack if one controls dhcp or dns traffic.

(Above was about traditional libc resolver. For systemd-resolved clients
I don't think we should ever suffix non-single-level domain names with anything.)

The story is sligthly different for single-level names. By setting UseDomains=yes
we allow the dhcp server some control over the resolution of those names.
But that seems natural too. If we want to allow LLMR or avahi, allowing
the dhcp server to also control local name resolution seems a natural extension.

Any reservations for making UseDomains=yes the default?

https://bugs.freedesktop.org/show_bug.cgi?id=85397

> My only hesitation has been that I can imagine someone wanting to add
> search domains that do not imply anything about routing. However, I
> think in this case it does not make much sense to make this per-link,
> but it should rather be a global SearchDomains= option (in
> resolved.conf) or something to that effect.
> 
> Zbigniew, Michael, what do you think?
> 
> Cheers,
> 
> Tom

Zbyszek


More information about the systemd-devel mailing list