net: pure go version of dnsclient does a DNS lookup of "localhost" qualified with the domain name.

[kraney]

This bug is derived from this one I reported in Kubernetes.

kubernetes/kubernetes#77764

What did you do?

On my DNS domain, someone decided it would be cute to create a hostname 'localhost.mydomain.com'.

Go's pure go DNS resolver, when looking up "localhost", tries "localhost.mydomain.com" first and ends up with an IP address from DNS, rather than resolving to 127.0.0.1 from /etc/hosts like you'd expect.

What did you expect to see?

I expected that a) there would be no DNS lookup, and b) to get a result of 127.0.0.1

What did you see instead?

Attempts to contact https://localhost/ end up being directed to the cutely-named system elsewhere in the network.

Looking in https://github.com/golang/go/blob/master/src/net/dnsclient_unix.go, it appears that the function nameList(), given an argument of 'localhost', would return results that first search for the FQDN obtained by appending the default domain, and then would search for the unadorned 'localhost' last. This produces incorrect results.

[kraney]

Note that this bug has security implications, since it represents a technique for someone to get in the middle of communications that would ordinarily be unseen on loopback, and might not be well secured as a result of that expectation.

[agnivade]

@mikioh @ianlancetaylor

[bradfitz]

Dup of #22826? (net: add support for "let localhost be localhost")

But looks like https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 stalled (and actually expired).

Is our behavior actually wrong from a spec standpoint?

I personally agree with let-localhost-be-localhost for sanity/security reasons, but it looks like (from #22826) that we were waiting for that to become more official best practice.

[kraney]

"localhost" is supposed to go through name resolution. That's the mechanism for selecting whether it resolves to an IPv4 loopback address or an IPv6 one for that particular host.

However, "localhost" is not supposed to be qualified with the default domain name before that lookup happens. The implementation here checks "localhost.fulldomain.com" first, before it checks "localhost". If no such host exists, you won't notice an issue except perhaps an unnecessary delay. But if it does exist, you're in for a surprise.

[bradfitz]

Oh, sorry, I missed on my pre-coffee reading that this was about Go appending the default domain first, before the bare "localhost" lookup.

[bradfitz]

I'm not able to reproduce this, though. I tried both the cgo and netgo resolvers, but neither attempts a DNS lookup.

Log of my repro attempt...

bradfitz@go:~$ cat /etc/resolv.conf 
domain c.symbolic-datum-552.internal 
search c.symbolic-datum-552.internal. google.internal. 
nameserver 169.254.169.254 
bradfitz@go:~$ cat /etc/hosts 
127.0.0.1       localhost MyLocalHost 
::1             localhost ip6-localhost ip6-loopback 
fe00::0         ip6-localnet 
ff00::0         ip6-mcastprefix 
ff02::1         ip6-allnodes 
ff02::2         ip6-allrouters 
  
10.240.0.12 dev-bradfitz.c.symbolic-datum-552.internal dev-bradfitz  # Added by Google 
 
bradfitz@go:~$ cat lookup.go 
package main 
 
import ( 
        "flag" 
        "fmt" 
        "log" 
        "net" 
) 
 
func main() { 
        flag.Parse() 
        addr, err := net.LookupHost(flag.Arg(0)) 
        if err != nil { 
                log.Fatal(err) 
        } 
        fmt.Println(addr) 
} 
bradfitz@go:~$ go build lookup.go 
bradfitz@go:~$ GODEBUG=netdns=go+1 strace -e socket,open,connect,read,write -f ./lookup localhost 
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0Pa\0\0\0\0\0\0"..., 832) = 832 
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\4\2\0\0\0\0\0"..., 832) = 832 
strace: Process 11550 attached 
strace: Process 11551 attached 
strace: Process 11552 attached 
strace: Process 11553 attached 
strace: Process 11554 attached 
[pid 11549] read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 1024) = 497 
[pid 11549] read(3, "", 1024)           = 0 
[pid 11549] read(3, "domain c.symbolic-datum-552.inte"..., 65536) = 119 
[pid 11549] read(3, "", 65417)          = 0 
[pid 11549] read(3, "", 65536)          = 0 
[pid 11549] write(2, "go package net: GODEBUG setting "..., 61go package net: GODEBUG setting forcing use of Go's resolver 
) = 61 
[pid 11549] read(3, "127.0.0.1\tlocalhost MyLocalHost\n"..., 65536) = 330 
[pid 11549] read(3, "", 65206)          = 0 
[pid 11549] read(3, "", 65536)          = 0 
[pid 11549] write(1, "[127.0.0.1 ::1]\n", 16[127.0.0.1 ::1] 
) = 16 
[pid 11553] +++ exited with 0 +++ 
[pid 11552] +++ exited with 0 +++ 
[pid 11551] +++ exited with 0 +++ 
[pid 11550] +++ exited with 0 +++ 
[pid 11554] +++ exited with 0 +++ 
+++ exited with 0 +++ 
bradfitz@go:~$ GODEBUG=netdns=+1 strace -e socket,open,connect,read,write -f ./lookup localhost 
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0Pa\0\0\0\0\0\0"..., 832) = 832 
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\4\2\0\0\0\0\0"..., 832) = 832 
strace: Process 11558 attached 
strace: Process 11559 attached 
strace: Process 11560 attached 
strace: Process 11561 attached 
strace: Process 11562 attached 
[pid 11557] read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 1024) = 497 
[pid 11557] read(3, "", 1024)           = 0 
[pid 11557] read(3, "domain c.symbolic-datum-552.inte"..., 65536) = 119 
[pid 11557] read(3, "", 65417)          = 0 
[pid 11557] read(3, "", 65536)          = 0 
[pid 11557] write(2, "go package net: dynamic selectio"..., 50go package net: dynamic selection of DNS resolver 
) = 50 
[pid 11557] read(3, "127.0.0.1\tlocalhost MyLocalHost\n"..., 65536) = 330 
[pid 11557] read(3, "", 65206)          = 0 
[pid 11557] read(3, "", 65536)          = 0 
[pid 11557] write(1, "[127.0.0.1 ::1]\n", 16[127.0.0.1 ::1] 
) = 16 
[pid 11560] +++ exited with 0 +++ 
[pid 11562] +++ exited with 0 +++ 
[pid 11561] +++ exited with 0 +++ 
[pid 11559] +++ exited with 0 +++ 
[pid 11558] +++ exited with 0 +++ 
+++ exited with 0 +++ 

bradfitz@go:~$ CGO_ENABLED=0 go build lookup.go
bradfitz@go:~$ GODEBUG=netdns=+1 strace -e socket,open,connect,read,write -f ./lookup localhost
strace: Process 11670 attached
strace: Process 11669 attached
strace: Process 11671 attached
strace: Process 11672 attached
[pid 11668] read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 1024) = 497
[pid 11668] read(3, "", 1024)           = 0
[pid 11668] read(3, "domain c.symbolic-datum-552.inte"..., 65536) = 119
[pid 11668] read(3, "", 65417)          = 0
[pid 11668] read(3, "", 65536)          = 0
[pid 11668] write(2, "go package net: built with netgo"..., 68go package net: built with netgo build tag; using Go's DNS resolver
) = 68
[pid 11668] read(3, "127.0.0.1\tlocalhost MyLocalHost\n"..., 65536) = 330
[pid 11668] read(3, "", 65206)          = 0
[pid 11668] read(3, "", 65536)          = 0
[pid 11668] write(1, "[127.0.0.1 ::1]\n", 16[127.0.0.1 ::1]
) = 16
[pid 11672] +++ exited with 0 +++
[pid 11669] +++ exited with 0 +++
[pid 11671] +++ exited with 0 +++
[pid 11670] +++ exited with 0 +++
+++ exited with 0 +++

[bradfitz]

Got a repro?

[kraney]

Unfortunately, I don't have a simple reproduction. I observed this behavior from Kubernetes' apiserver. I'm not a Kubernetes developer. I just started reading code to try and track this down.

Out of curiosity, what's in your /etc/nsswitch.conf?

[bradfitz]

Out of curiosity, what's in your /etc/nsswitch.conf?

Mine has:

hosts:          files dns

Do you have dns first? I'll try that later.

[kraney]

In the original circumstance that triggered the bug report, actually no mine is also set to "files dns". But looking at the code it looked like setting dns first would trigger the behavior I found in the code.

I confirmed it - if I set it to "dns files" and use your code, I see a DNS lookup of a FQDN first.

This may indicate I haven't correctly root caused my original issue, but I still see this behavior as an issue.

[bradfitz]

Yes, I see that too, but I also see that glibc does the same, so it seems like you get what you're asking for if you have your nsswitch.conf configured to do that.

So this bug seems like just a dup of #22826, which IIRC would just be special-casing the meaning in "localhost" in some places.

Closing for now, but let me know if I missed something.