problem with DNS lookups on non-IPv4-only-mode?

Dan Kaminsky dan at doxpara.com
Thu Jun 10 09:59:51 EST 2004


Damien Miller wrote:

>Dan Kaminsky wrote:
>
>  
>
>>2)  Doing a DNS lookup for a non-existent target.
>>    
>>
>
>That will freeze, because there isn't a good cross-platform async
>DNS 
>
Well, there's always:

a) Wrapping gethostbyname in a thread (requires server mods)
b) Executing "host" or "nslookup" over a channel.

>>This is ultimately a fundamental weakness in the sshd architecture, 
>>    
>>
>
>I don't think this is an architectural problem - we already do
>everything else in an event-driven manner, If there was a decent
>async DNS API we could do this too.
>
>  
>
It's totally an architectural problem, very much like that Cisco fault a 
while back where unresolved packets in unassigned protocols would 
eventually cause the entire system to fall over.  If one channel kills 
the rest, there's an architectural fault.

Now, an easy or elegant to resolve fault, it ain't :-)

>It would be possible to fake one up - fork a child for DNS resolution
>and have it send back a list of { af, addr }. One would need to be
>careful wrt limits on the number of such children, reaping them, etc.
>
>  
>
*nods*

>>the only ironclad solution
>>    
>>
>
>For now, don't use hostname is forwarding specifications.
>
>  
>
He needs to; it's insecure to trust local DNS (the #1 problem with 
dynamic forwarding).

--Dan




More information about the openssh-unix-dev mailing list