Patch-ID# 102167-03 Keywords: nss_dns.so.1 DNS security BIND 4.9.3 libresolv.so.2 Synopsis: SunOS 5.3: dns fix Date: Jul/18/96 Solaris Release: 2.3 SunOS release: 5.3 Unbundled Product: Unbundled Release: Topic: SunOS 5.3: dns fix BugId's fixed with this patch: 1174876 1207777 1253600 Changes incorporated in this version: 1253600 Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 101359-02 or greater Obsoleted by: Files included with this patch: /usr/lib/nss_dns.so.1 Problem Description: 1253600 nss_dns.so.1 source modification and rebuild for BIND 4.9.3 (from 102167-02) 1207777 adding the 102167 patch adds a new security hole and increases traffic/delays (from 102167-01) 1174876 DNS spoofing possible in 5.3 when using DNS via /usr/lib/nss_dns.so.1 This patch protects the Name Service Switch (DNS Domain Name Service) backend from DNS spoofing. I.e. a hacker maps an IP address they own to a hostname that someone trusts (ex. 10.1.0.35 owned by Hacker.COM, to Trusted-host.my.com) allowing them to perhaps rlogin to another machine. The solution done in 4.x and the resolver library is after doing a gethostbyaddr() to do a gethostbyname() and check that the IP address given is one that belongs to the returned hostname. If IP address passed into gethostbyaddr() does not match an IP address returned from the gethostbyname() call a SPOOFING error message is syslog-ed and the gethostbyaddr() call returns failure (NOTFOUND). If the gethostbyname() call FAILS, then the hostname is returned. This is because some people like to register IP addresses BUT not the hostnames in DNS. through obscurity I guess). Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- This patch requires the sparc libresolv.so.2/BIND 4.9.3 patch, 101359-02, or greater, to be installed on the target system. It is recommended to install the following patches: 101739-12 or greater sendmail patch 103705-01 or greater rpc.nisd_resolv rebuild for BIND 4.9.3