Re: .com. filter bypass

[Nigel Stepp <stepp () atistar net>]

On Wed, 18 Aug 2004, RSnake wrote:

>       I know this is pretty trivial, but I haven't seen anyone write anything
> about this.  I'm not sure how useful it really is as an attack vector, but:
>
> "http://www.google.com./"; is a valid url in browsers (with the dot at the end).

[ snip ]

> As a side
> note, nslookup and traceroute both ignored the trailing period, which actually
> is okay behavior, but also makes them candidates if this sort of check is
> performed before they are run with a system call....  Yup, as I said, pretty
> trivial.

I think it should be pointed out that especially these tools (nslookup,
traceroute, etc.) are not "ignoring" the period.  The trailing dot in a
domain name has a very specific meaning as the root domain.  It
signifies that the end of the domain in question is really the end.

some.domain could also be subject to adding domain search suffixes.
some.domain. is literally some.domain.

Put another way, if mydomain.com is in your domain search path, then
if you look up myhost, it will fail by itself but succeed as
myhost.mydomain.com.

myhost. will fail, as mydomain.com will not be added to the end.

In any event.  These things are all handled by the dns lookup
subsystems, usually not by the actual applications.  They will just use
gethostbyname() or what have you, and it will do the rest.

(This is a user/app view of the trailing dot, not a dns zone file type
view where it affects whether to add the origin or not, but the meaning
is the same).

> -R
>
> The information in this email is confidential and may be legally
> privileged.  It is intended solely for the addressee.  Access to
> this email by anyone else is unauthorized.  If you are not the
> intended recipient, any disclosure, copying, distribution or any
> action taken or omitted to be taken in reliance on it is
> expressly prohibited and may be unlawful.

-- 
:wq