Patch-ID# 102165-04 Keywords: security DNS spoofing nss_dns.so.1 BIND 4.9.3 libresolv.so.2 Synopsis: SunOS 5.4: nss_dns.so.1 fixes Date: Nov/03/97 Solaris Release: 2.4 SunOS Release: 5.4 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 102166 Topic: SunOS 5.4: nss_dns.so.1 fixes BugId's fixed with this patch: 1174876 1207777 1253600 4068734 Changes incorporated in this version: 4068734 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 102479-02 (or higher revs) Obsoleted by: Files included with this patch: /usr/lib/nss_dns.so.1 Problem Description: 4068734 Patch 102165-03 and Patch 103706-01 fail to install under Jumpstart (from 102165-03) 1253600 nss_dns.so.1 source modification and rebuild for BIND 4.9.3 (from 102165-02) 1207777 adding the 102167 patch adds a new security hole and increases traffic/delays (from 102165-01) 1174876 DNS spoofing possible in 5.3 when using DNS via /usr/lib/nss_dns.so.1 This patch protects the Name Service Switch (DNS Domain Name Service) backend from DNS spoofing. I.e. a hacker maps an IP address they own to a hostname that someone trusts (ex. 10.1.0.35 owned by Hacker.COM, to Trusted-host.my.com) allowing them to perhaps rlogin to another machine. The solution done in 4.x and the resolver library is after doing a gethostbyaddr() to do a gethostbyname() and check that the IP address given is one that belongs to the returned hostname. If IP address passed into gethostbyaddr() does not match an IP address returned from the gethostbyname() call a SPOOFING error message is syslog-ed and the gethostbyaddr() call returns failure (NOTFOUND). If the gethostbyname() call FAILS, then the hostname is returned. This is because some people like to register IP addresses BUT not the hostnames in DNS (don't ask why, security through obscurity I guess). (We will ignore the entire question of basing "security" on IP addresses) Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- This patch requires the sparc libresolv.so.2/BIND 4.9.3 patch, 102479-02, or newer, to be installed on the target system. It is recommended to install the following patches: 102066-11 or newer sendmail patch 103706-01 or newer rpc.nisd_resolv rebuild for BIND 4.9.3