guarantee RFC standardized hostname

Kevin Fitzgerald kwfitzgerald at ualr.edu
Thu Aug 25 14:02:08 UTC 2011 

I am actively pushing to stop using the user provided host-name as I feel
that solves our actual problem.

I am still interested to know if there is a facility within dhcp to do regex
evaluation and arbitrary manipulation of the data held in 'option host-name'
or some such.  If not, I will be able to more quickly convince my team that
our efforts would be better spent elsewhere :)

On Thu, Aug 25, 2011 at 2:21 AM, Simon Hobson <dhcp1 at thehobsons.co.uk>wrote:

> Ted Lemon wrote:
>
>  I'm assuming that you don't have any kind of pre-existing records for
>>> these hosts?  We track all hosts here, and force a hostname to be defined at
>>> registration time, with all of the usual validity and uniqueness checks.  We
>>> then feed this data into our dhcp configuration files, and all client
>>> supplied ddns hostname values are summarily ignored.
>>>
>>
>  What's the threat model here?
>>
>
> Basically the same sort of threat as SQL injection has on SQL based
> systems. If **any** bit of code in the chain fails to sanitise/handle
> abnormal input then there's a vector for problems (whether innocent or
> malicious).
>
> In this case, there's one very common one already mentioned. How many times
> have you seen code break when fed a value with an embedded space ? I've seen
> it plenty of times.
> If you knew (for example) that the value went through a Bash script, then
> you might try "somevalue<space>;rm -rf /" as your input. If the code hasn't
> handled the space properly then there's scope for your system to die a
> mysterious death.
>
> I know ISC's DHCP and BIND aren't written in Bash, but the same principal
> applies - don't assume everything downstream can handle garbage !
>
> In the past I has a nice one where a print server box padded out the
> hostname to 8 characters with nulls - took me a while to figure out some
> rather oddball DNS update errors. Hint, what's a string terminator in "C" ?
>
> --
> Simon Hobson
>
> Visit http://www.**magpiesnestpublishing.co.uk/<http://www.magpiesnestpublishing.co.uk/>for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
>
> ______________________________**_________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/**listinfo/dhcp-users<https://lists.isc.org/mailman/listinfo/dhcp-users>
>



-- 
Kevin Fitzgerald
UALR Information Technology Services
501-916-5019
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110825/8680dc91/attachment.html>

More information about the dhcp-users mailing list