[systemd-devel] Systems-resolved: Calling gethostbyaddr on non-local/non-private causes connection attempt

[Anthony_Fuller at trendmicro.com]

Hi Cristian,

I had to look up nss-resolve and indeed both LLMNR and system-resolved are mentioned in the description. In my test VM, `apt-cache policy` is showing that libnss-resolve package is installed.

I removed it using `apt purge libnss-resolve` and checked journalctl logs again while re-running the python script and I continue to see outbound connections on port 5355 are being logging.

I restarted the VM (to ensure the plugin was no longer loaded) and re-ran the nftables rule and python script but I continue to see the outbound connections with each invocation of gethostbyaddr.

Let me know what else I can investigate, this is new territory for me.

Thanks,
Anthony

From: Cristian Rodríguez <crrodriguez at opensuse.org>
Date: Thursday, February 22, 2024 at 4:48 PM
To: Anthony Fuller (TR-NA) <Anthony_Fuller at trendmicro.com>
Cc: systemd-devel at lists.freedesktop.org <systemd-devel at lists.freedesktop.org>
Subject: Re: [systemd-devel] Systems-resolved: Calling gethostbyaddr on non-local/non-private causes connection attempt

This message was sent from outside of Trend Micro. Please do not click links or open attachments unless you recognise the source of this email and know the content is safe.


On Thu, Feb 22, 2024 at 2:09 PM Anthony_Fuller at trendmicro.com
<Anthony_Fuller at trendmicro.com> wrote:

>
> Port 5355 is used for LLMNR and RFC-4795 [4], states in the abstract that “LLMNR only operates on the local link” so I think the current behavior of contacting hosts on port 5355 is incorrect, especially if that host IP is not link-local and not in the private IP range.

I cannot reproduce your issue.. are you using the nss module "resolve" peraphs ?

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240222/d0daa8ba/attachment.htm>