yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1088611] Re: using random hostnames to detect dns proxies allows for false positives

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Scott Moser <smoser@xxxxxxxxxx>
Date: Sat, 23 Sep 2017 02:13:14 -0000
Reply-to: Bug 1088611 <1088611@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug is believed to be fixed in cloud-init in 17.1. If this is still
a problem for you, please make a comment and set the state back to New

Thank you.

** Changed in: cloud-init
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1088611

Title:
  using random hostnames to detect dns proxies allows for false
  positives

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released
Status in cloud-init source package in Zesty:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  Prior to this fix, cloud-init attempts to detect dns redirection by doing
  dns queries for a random hostname and two invalid hostnames.  Then, if
  the result returned for the input value was the same as the response for
  the invalid query cloud-init would assume that result was also invalid.

  The change was to replace the random string with
    __cloud_init_expected_not_found__
  This is a valid hostname and resolution will use the 'search' path in
  resolv.conf where the other invalid domain names would not.

  [Test Case]
  The test case for this consists of excercising the the 'is_resolvable_url'
  method in cloudinit.util and watching dns queries.  To do this, see the
  following steps:
  a.) start an lxc container
     $ release=xenial
     $ name=$release-1088611
     $ lxc launch ubuntu-daily:$release $name
  b.) start a dnsmasq server
     $ ./run-dnsmasq lxdbr0
     ... 
     === listening on 10.75.205.2/24 ===

     # run-dnsmasq is attached and at
     #  https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/tree/bugs/lp-1088611/run-dnsmasq

  c.) point /etc/resolv.conf at your server ip
     $ lxc exec $name -- sh -c 'exec >/etc/resolv.conf;
         echo nameserver 10.75.205.2; echo search foo;'

  d.) perform query via is_resolvable_url watch dnsmasq output, expect
      to see the random query.
     $ lxc exec $name -- python3 -c 'import sys;
  from cloudinit.util import is_resolvable_url; 
  print(is_resolvable_url(sys.argv[1]))' http://ubuntu.com

  e.) upgrade to -proposed version
  f.) perform query via is_resolvable_url, expect to *not* see random query.

  [Regression Potential]
  Immediate regression seems unlikely.  Effectively the change in cloud-init
  code path was simply to change a dns lookup attempt from rand() to a defined
  string.

  We chose a random string initially to make it difficult for a dns server to
  circumvent cloud-init's attempt to identify dns redirection.  The regression
  path really then seems to involve a dns redirection service specifically
  provding a response for '__cloud_init_expected_not_found__' that differs
  from does-not-exist.example.com.  Cloud-init could then be tricked into
  believing that a apt mirror was valid where it previously would have
  identified the dns redirection.  The failure would be seen as errors
  in package installation or 'apt-get update'.

  [Other Info]
  Upstream commit at
    https://git.launchpad.net/cloud-init/commit/?id=42a7b34a12

  Original upstream commit at
    https://git.launchpad.net/cloud-init/commit/?id=1bb67be5bd

  === End SRU Template ===

  The fix that's been applied for bug #974509 checks for the presence of
  a redirector by looking of three hostnames, and treating as invalid
  any results pointing to a matching address:

   - does-not-exist.example.com.
   - example.invalid.
   - a random, unqualified 32-character alphanumeric hostname.

  The last of these carries a small but non-zero risk of colliding with
  a real hostname, and there's a small but non-zero risk that this host
  points to the same address as something we care about.  If possible,
  it would be better to not include this random-host lookup in the
  algorithm, as somewhere, some day, chances are there will eventually
  be a collision, causing an incomprehensible and unreproducible failure
  for a user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1088611/+subscriptions