Naming Confusion Attack Vectors

Many lookup systems use simple algorithms to determine when to use gethostbyname and gethostbyaddr. Simple algorithms lead to simple exploits.

Numerical Names

One common algorithm for determining a forward or reverse lookup checks the hostname for letters. If the hostname contains a single letter, then the system uses gethostbyname. Otherwise, gethostbyaddr is used.

NoteSimple algorithms only check the first character. Most hostname strings do not begin with a number.

Assigning a numerical name to a host can easily defeat this system. For example, the following hostnames can be placed in a DNS server configuration file:

	491 IN A 10.1.3.49 ; hostname is "491"
	49.1 IN A 10.1.3.49 ; hostname is "49.1"
	49.1.2 IN A 10.1.3.49
	49.1.2.3 IN A 10.1.3.49
	49 in ptr 49.1.2.3. ; reverse of 10.1.3.49 is the name "49.1.2.3"

The first hostname, 491 is assigned the IP address 10.1.3.49. The hostname is not a valid octal for an IP address, so it should not lead to any hostname confusion. The host and nslookup commands correctly find the IP address from the hostname; however, dig calls gethostbyaddr instead of gethostbyname. Hostnames without letters trigger the wrong lookup from dig. When using a hostname with numbers and dots, such as 49.1, 49.1.2, or 49.1.2.3, all three lookup programs use the incorrect gethostbyaddr call.

Similarly, reverse lookups can cause problems. The example IP address 10.1.3.49 resolves to the hostname 49.1.2.3. Although host and nslookup correctly perform the reverse lookup, dig does not.