lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 14 Oct 2003 11:23:48 -0700
From: Kevin George <kevin-bugtraq@...ndrop.net>
To: Michael Sierchio <kudzu@...ebras.com>
Cc: BUGTRAQ@...URITYFOCUS.COM
Subject: Re: What software breaks because of this DNS feature?


When you tell your web browser to go to "http://cnn.com", this will not
necessarily take you to the same target IP as "http://cnn.com.", if
there is some other 'cnn.com' in your DNS search path.

(Suppose your DNS search path is set to 'local.example.com myisp.com';
If the resolver wanted to look up 'cnn.com', it would try
'cnn.com.local.example.com' and 'cnn.com.myisp.com', and if neither of
those resolved, it would use 'cnn.com'.  A trailing period at the end of
the FQDN tells the resolver that you do not want the DNS search
path to be used.)

For this reason, it may not be a good idea for the browser to attempt to
simplify 'cnn.com.' to 'cnn.com'.  If it did, an internal 'cnn.com'
(cnn.com.myisp.com) might be able to access cookies belonging to
'cnn.com.', and vis versa.

It is also worth noting that the user may be going through caches or
proxies, possibly transparent to them, and so regardless of what
'cnn.com' resolves to locally, it may resolve to something different for
the thing that makes the final HTTP connection.  So, even if locally it
appears that 'cnn.com' and 'cnn.com.' both resolve to the same IP(s),
that does not mean that your HTTP request will actually end up going
to those IPs.

(This means you can't use that as a method to decide whether or not, for the
purpose of your HTTP requests, 'cnn.com' == 'cnn.com.')

On Tue, Oct 14, 2003 at 10:13:26AM -0700, Michael Sierchio wrote:
> Richard M. Smith wrote:
> 
> >According to RFC1034, "cnn.com" and "cnn.com." should be the same domain
> >names.  However, it doesn't appear that programmers always understand that
> >trailing dots can be added to domain names.  
> >
> >...
> >
> >However, Internet Explorer considers these two domain names to be different
> 
> Is it IE or is it the Windows resolver?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ