[Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf

Tue Apr 4 11:57:19 UTC 2023

This is not a matter of CACHE poisoning. This is a 3rd-party owned
domain suffix being applied to every name resolution on the system.
Users deploying Kubernetes on these nodes will inherit this behavior in
kube-dns, for example.

Users' applications, package management, pods, and customer workloads
request google.com, they get google.com.domains.

$ host google.com
google.com has address 142.251.40.174
google.com has IPv6 address 2607:f8b0:4006:823::200e
google.com mail is handled by 10 smtp.google.com.

$ host google.com.domains
google.com.domains has address 18.164.96.15
google.com.domains has address 18.164.96.65
google.com.domains has address 18.164.96.63
google.com.domains has address 18.164.96.112

This extends well beyond google. Every hostname "foo.com" that is
registered on "com.domains" will be resolved to that com.domains domain.
Likewise for any TLD.

DNSSEC is not part of the configuration on Ubuntu's default package
management tools (debian, python, perl). Nor are curl, wget, or most of
the system tools that traverse the internet protected by DNSSEC.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ifupdown in Ubuntu.
https://bugs.launchpad.net/bugs/1978351

Title:
  MITM vector: ifupdown puts .domains TLD in resolv.conf

Status in ifupdown package in Ubuntu:
  Confirmed

Bug description:
  The bug described in
  https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all
  is a security vulnerability because DNS names that would normally fail
  are now attempted as "foo.domains".

  ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA.
  "google.com.domains" is registered, for example. So is "test.domains".

  For users with ifupdown, any Internet request (especially that does
  not involve some cryptographic payload and destination signature
  verification) is potentially sending packets to an unintended
  audience. It's impossible to say, but likely, that malicious
  registrants are squatting sensitive and common names in the .domains
  TLD.

  The ifupdown package is still used by some cloud providers that have not adopted netplan.
  This vulnerability affects 22.04 and potentially other releases.

  This issue has not been corrected in 0.8.36+nmu1ubuntu4.

  With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the
  resolv.conf looks like the following (which is vulnerable to mitm
  attacks):

  ```
  root at foo:~# cat /etc/resolv.conf
  # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
  # Do not edit.
  #
  # This file might be symlinked as /etc/resolv.conf. If you're looking at
  # /etc/resolv.conf and seeing this text, you have followed the symlink.
  #
  # This is a dynamic resolv.conf file for connecting local clients to the
  # internal DNS stub resolver of systemd-resolved. This file lists all
  # configured search domains.
  #
  # Run "resolvectl status" to see details about the uplink DNS servers
  # currently in use.
  #
  # Third party programs should typically not access this file directly, but only
  # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
  # different way, replace this symlink by a static file or a different symlink.
  #
  # See man:systemd-resolved.service(8) for details about the supported modes of
  # operation for /etc/resolv.conf.

  nameserver 127.0.0.53
  options edns0 trust-ad
  search DOMAINS
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions