*****n4f 9.2 security warning*****

[bart357]

If anyone would like to reproduce this bug here is an idea!
Although I have not tested this I think it will work.

If you are running your own DNS server create a client “dhcp.mylocal.lan” and make sure it resolves to an IP on your network.

reboot a 9.2 test machine in dhcp and look at your route.
You can also try a static IP and then watch cifs fall apart.

Take care

[bart357]

if you are running a bind9 DNS server you can see the problem in action by turning on querylog and then look at syslog.

rndc querylog
tail -f /var/log/syslog

boot a n4f server in DHCP and look at tail

to turn off querylog run "rndc querylog" again you dont want that on all the time.

the problem is very easy to reproduce with live cd's as well.

[bart357]

I feel as if everything that I have said has been total disregarded, what a shame.

This is my last post on this problem.

Here is my route using my isp DNS server.

For now I will just use a different dns server so my route is correct.

$ netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGS 0 58 re0
66.152.109.0/24 link#1 U 0 21 re0
66.152.109.110 link#1 UHS 0 0 lo0
127.0.0.1 link#11 UH 0 1417 lo0
192.168.1.0/24 link#1 U 0 567 re0
192.168.1.28 link#1 UHS 0 0 lo0

Internet6:
Destination Gateway Flags Netif Expire
::1 link#11 UH lo0
fe80::%lo0/64 link#11 U lo0
fe80::1%lo0 link#11 UHS lo0
ff01::%lo0/32 ::1 U lo0
ff02::%lo0/32 ::1 U lo0

[jandegr]

I confirm the bug. In my tests feeding fabricated ip's to the infamous
query for dhcp.xxx led to other, but also unwanted, results.
If, contrary to al what was posted before, someone wants to chek it out,
concentrate on the query, not the outcome of it.
Thanks for reporting this Bart.

regards,
Jan

[dreamcat4]

I didn't have a system to reproduce this myself, but the report sounded genuine and unexplained. I am pleased to hear that somebody (jan) has also finally been able to reproduce the bug on another system.

What might be nice to know now is if it's something specific to NAS4Free, or a more general FreeBSD bug. OR only affecting a specific version of FreeBSD / NAS4Free that has moved on since 9.2.

Here also is link to the bug report on sourceforge

http://sourceforge.net/p/nas4free/bugs/172/

Many thanks.

[jandegr]

a picture to decorate this thread
hostname : testnas
domain : test.nas4free
x.x.x.109 runs my fake dns server

regards,
Jan

[jandegr]

it look as if n4f client asks dhcp for an address twice.

I confirm, even if it already received a valid answer tot the first request it does so.
It also shows in the log, dhclient gets called twice

[bart357]

FreeBSD-9.2-RELEASE-amd64-disc1.iso asks dhcp 4 times for an IP and gets a proper route.

The problem is that DNS is returning an IP in some cases (in n4f only) and if an IP is returned it is added to the route.

FreeBSD-9.2-RELEASE-amd64-disc1.iso does not ask DNS to query for dhcp.xxx.xxx only nas4free does this lookup

Thanks for confirming Jan.

take care.

[dreamcat4]

Hmm. No idea. My best guess: try to change the following code:

Code: Select all

/etc/rc.d/hostname:
		# If we're not in a jail and rc.conf doesn't specify a
		# hostname, see if we can get one from kenv.
		#
		if [ -z "${hostname}" -a \
		    -n "`/bin/kenv dhcp.host-name 2> /dev/null`" ]; then
			hostname=`/bin/kenv dhcp.host-name`
		fi

instead put:

Code: Select all

		if [ -z "${hostname}" ]; then
			hostname="whatever"
		fi

* See if problem still occurs.
* See if hostname="whatever".

Of course, I can also be 100% incorrect about that

[bart357]

You are on to something dreamcat4. It is something to do with kenv and those scripts.
I will look at this tonight.
Take care

[jandegr]

* See if problem still occurs.
* See if hostname="whatever".

Does not help for me, besides I already had a hostname in rc.conf, so it would never get there,
but maybe it helps for Bart, he has a very special LAN.
But you made me look into it again, so Bart if You want to do an A/B comparison with a generic
FreeBSD, you have to set a domain, liveCD's probably only set a hostname.
I tried it on my full-blown freeBSD10 install and It tries a reverse dns lookup. On my lan it does not
resolve, but it might do other things for You and even proceed to the dns-dhcp query.


I throw in another picture now, FreeBSD10 hostname="obama.ebay.be" in rc.conf.
ebay.be resolves on my LAN, but I get stuk on the reverse lookup.


regards,
Jan

EDIT : I could NOT trick NAS4Free 9.1 (r847) into doing the infamous request, conclusive with Bart claiming that 9.1 "does not have it".

[bart357]

I have tested version's 9.2 and 10.0 downloaded from here http://www5.us.freebsd.org/where.html

I don't find any problems with them.

I have set the host name, started dhcpclient and everything works as expected (ping, dig, route, etc.)

I have also checked /etc/rc.conf on n4f and I have a host name listed.

N4f 9.2 series is the only one I see doing a query for dhcp.xx.xx

but maybe it helps for Bart, he has a very special LAN.

It is not a special lan if this can be reproduced with a home router. network configuration error? ok i can agree with this but my ISP broke dns. and this should not happen.

ill keep looking.

Take care

[bart357]

It is not a special lan if this can be reproduced with a home router. network configuration error? ok i can agree with this but my ISP broke dns. and this should not happen.

I should have said that the question to dns for dhcp.xxx.xxx should never have been asked.

[bart357]

dreamcat4,
I did try editing /etc/rc.d/hostname on an embeded system but after a reboot the modification is gone. I will try again tomarrow.

[jandegr]

Hi, a small follow-up :

On the bootscreen in dhcp mode we all get a message

Code: Select all

ifconfig: dhcp: bad value

It flashes real fast on the screen, so many will not have noticed.

this is a dirty and quick fix for it :

Code: Select all

--- etc/rc.d/rcconf.orig
+++ etc/rc.d/rcconf	
@@ -118,7 +118,10 @@ setifconfig()
 			eval /usr/local/sbin/rconf attribute set "ifconfig_${_ifn}" "${_ifconfig_args}"
 		fi
 		if [ -n "${_ipaddr}" ]; then
+		# dirty fix voor bad value melding bij dhcp en mogelijks voor dns dhcp.xxx.xxx query
+		   if [ "${_ipaddr}" != "dhcp" ]; then
 			eval /usr/local/sbin/rconf attribute set "ipv4_addrs_${_ifn}" "${_ipaddr}/${_subnet}"
+			fi			
 		fi
 	fi
 

Only two lines if you want to apply manually.


And it also got me rid of the infamaous dns query, at least on my box and LAN.
Needs further looking into.

regards,
Jan

[bart357]

I am glad you found the problem Jan,
I hope the developers take a good look.
I have not tried your fix because I use the embedded version and I don't think it will survive a reboot.
I never would have been able to find the error in the code.

I also hope that my data was not traveling off my LAN and then back to the nas with the bad route.
I am not sure if this happened or not, I hope not but I am bad with routing tables.

Thanks for taking a look and verifying what I was trying to say. I have been trying to figure this out for a while now.

Take care

[bart357]

I ran a diff on rcconf and compared the file from 9.1 and 9.2.

both files look basically the same to me if I ran the command correctly.

I wonder why this problem only shows in 9.2?

[STAMSTER]

I was talking to a guy on the DNS forums (rob0)
and his take on the problem that the ISP has hijacked NXDOMAIN to redirect typos to their "helpful web site."

IE: cnn,com (notice the comma?)

his take on the problem is that something did a DNS lookup which was NXDOMAIN; your ISP resolver returned IP addresses for that query, and something was misconfigured to use that lookup result.

His comments were that DNS did not change the routing table. OS misconfiguration changed the routing table, probably based on a bad DNS query result.

he also mentioned not likely any direct malicious activity was done.

Ok? there is a bug. In the 9.2 code at least on my network node.

Take care

Exactly.
I have the same "issue". But first time I saw that strange WAN IP on my fresh built NAS, I knew what it was.
I'm not using ISP's DNS servers but OpenDNS'. I have enabled feature which turns every NXDOMAIN into a user friendly page.

This is how it looks like with DHCP address:
inet 192.168.150.59 netmask 0xffffff00 broadcast 192.168.150.255
inet 67.215.65.132 netmask 0xffffff00 broadcast 67.215.65.255

Notice the second line and IP 67.215... that's OpenDNS server/IP ragne.

After setting NAS4Free to Static IP (so no DHCP queries are present), this issue is not present.

Bottomline:
It's quite strange that only with DHCP enabled mode NAS4Free initiates DNS query for your own local domain name (which in most cases does not exist on the WAN side - Internet and DNS lookup returns NoneXistentDOMAIN).

[bart357]

After setting NAS4Free to Static IP (so no DHCP queries are present), this issue is not present.

when I set N4F to use a static IP it broke cifs while utilizing a dns server which turns every NXDOMAIN into a user friendly page.

do you notice that problem as well?

if not i guess I could have had some bad information cached on another pc.

take care

[STAMSTER]

To tell you the truth - I'm (still) not using CIFS/Samba sharing for a new NAS build. Only iSCSI and SFTP.
You mean if you open Samba share via hostname, the problem occurs?

[bart357]

when I tried connecting via smb://workgroup/ through ubuntu browse network.

I also noticed in Diagnostics|Log that samba was trying to be master browser on the bad ip returned from dns.

I would need to test again to see is a bad value was cached.

i hope that made sence.

take care

[sancat]

After setting NAS4Free to Static IP (so no DHCP queries are present), this issue is not present.

when I set N4F to use a static IP it broke cifs while utilizing a dns server which turns every NXDOMAIN into a user friendly page.

do you notice that problem as well?

if not i guess I could have had some bad information cached on another pc.

take care

Hi Bart,

I was having the same issue you do. Jan picked it up from a posting I did yesterday and called my attention to this thread.

I can reproduce the issue, and also, by adding to my DHCP server an entry with dhcp.mydomain.com mapping back to the DHCP server, I kind of get rid of the "internet" address in ifconfig. But I'm getting 2 entries in ifconfig, one of them my router/DHCP server's. See the output below

Code: Select all

$ ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
	ether 60:02:92:b3:3a:e6
	inet 192.168.4.233 netmask 0xffffff00 broadcast 192.168.4.255
	inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I'll see if i can do Jan's recommended change

sancat

[sancat]

I'll see if i can do Jan's recommended change

sancat

I tried Jan's fix, and it doesn't work in my system

Code: Select all

$ ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=381b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 60:02:92:b3:3a:e6
	inet 192.168.4.233 netmask 0xffffff00 broadcast 192.168.4.255
	inet 92.242.140.21 netmask 0xffffff00 broadcast 92.242.140.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

[sancat]

Using static IP makes the second IP go away

Code: Select all

$ ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=381b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 60:02:92:b3:3a:e6
	inet 192.168.4.60 netmask 0xffffff00 broadcast 192.168.4.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Samba works, DLNA works for some devices but not for others.

I'm wondering how common can this issue be. There may be many systems broadcasting to the internet.

sancat

[jandegr]

hi sancat,
If you would use wireshark, you would see that before the fix a bogus query was done for dhcp.blabla
This is now fixed and you now have normal FreeBSD behaviour.
You now have to match your hostname and router config so your router knows it does not need to search for your hostname on
the WAN.
If your isp did not provide 'a helpfull page' you would not have to do this.

On my router I have a domain 'home' preconfigured that I can tweak to solve issues like this,
but often the name local. can be found as well.


regards,
Jan

[sancat]

hi sancat,
If you would use wireshark, you would see that before the fix a bogus query was done for dhcp.blabla
This is now fixed and you now have normal FreeBSD behaviour.
You now have to match your hostname and router config so your router knows it does not need to search for your hostname on
the WAN.
If your isp did not provide 'a helpfull page' you would not have to do this.

On my router I have a domain 'home' preconfigured that I can tweak to solve issues like this,
but often the name local. can be found as well.


regards,
Jan

Hi Jan,

The fix does not preclude the system to get the bogus IP, as you can see a couple postings earlier. I'm wondering if i did apply it right.

I can confirm my isp (usa-verizon-fios) provides a "helpful" page.

I also did add an entry to my router, mapping dhcp.mydomain.com into my own dhcp server / router ip, but that didnt appear to help either as the nas4free nic got now 2 addresses, one being that one of the dhcp server /router.

The only thing that appears to work on my side is using a static IP. Not elegant, but gets the job done.

Thanks!

sancat