|FROM ||Rick Moen
|SUBJECT ||Re: [Hangout-NYLXS] security with glibc and gethostbyname
|From hangout-bounces-at-nylxs.com Sun Feb 21 05:43:19 2016
Received: from www.mrbrklyn.com (www.mrbrklyn.com [184.108.40.206])
by mrbrklyn.com (Postfix) with ESMTP id CC9B11617B1;
Sun, 21 Feb 2016 05:43:03 -0500 (EST)
Received: from linuxmafia.com (linuxmafia.COM [220.127.116.11])
by mrbrklyn.com (Postfix) with ESMTP id E498C163D9B
for ; Sun, 21 Feb 2016 04:48:54 -0500 (EST)
Received: from rick by linuxmafia.com with local (Exim 4.72)
(envelope-from ) id 1aXQdJ-0007Pw-76
for hangout-at-nylxs.com; Sun, 21 Feb 2016 01:48:53 -0800
Date: Sun, 21 Feb 2016 01:48:53 -0800
From: Rick Moen
Organization: If you lived here, you'd be $HOME already.
X-Mas: Bah humbug.
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.5.20 (2009-06-14)
X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false
Subject: Re: [Hangout-NYLXS] security with glibc and gethostbyname
Reply-To: NYLXS Discussions List
List-Id: NYLXS Discussions List
Content-Type: text/plain; charset="us-ascii"
Quoting Ruben Safir (ruben-at-mrbrklyn.com):
> On 02/21/2016 01:52 AM, Rick Moen wrote:
> > (Wouldn't it be nice if glibc were no longer
> > using BIND8 spaghetti code?)
> clarify please
OK, no problem. You probably know that glibc is not a single library
but rather a bundle of related libraries. Sure, you get libc-2.*.so
(say), but also you get ld-*.so and ld-lunux-*.so (the dynamic linker),
a bunch of libnss_*-2.*.so libs, libpthread-2.*.so, libutil-2.*.so, and
a number of others.
Among those others is libresolv-2.*.so. This is what is called a 'stub
DNS resolver library. 'A stub resolver is a minimal resolver which will
only work with a DNS (an area resolver) that does support recursive
queries, specifically stub-resolvers cannot follow referrals.'
(quoting http://www.zytrax.com/books/dns/apa/resolver.html) (libresolv-2.*.so
is the C library's basic glue for default host-internal handling of DNS
queries from application software. This is the network library for which
/etc/resolv.conf is a configuration file.
The problem is that libresolv is a dreadful, buggy piece of code for the
simple reason that it was abstracted from one of the worst pieces of
1990s spaghetti code in general use, BIND8.
You can minimise the damage by putting 127.0.0.1 (or ::1) as the first
entry in /etc/resolv.conf, and deploy a decent recursive nameserver like
Unbound as the system nameserver daemon. But, honetly, libresolv is
junk, and ought to be scrapped in favour of something better.
Once upon a time, there was a project at ISC to create something called
lwres, a 'lightweight resolver' that could then be hooked in via special
directives in resolv.conf and nsswitch.conf, but it was orphaned in an
incomplete state about a decade ago.
hangout mailing list