[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?

Mon Jan 14 17:54:07 UTC 2008
Eric B. <ebenze at hotmail.com>

> >
> > I've been working at getting a tftp server up an running in a
> > chroot jail, and I have finally succeed getting almost everything
> > working. The server itself works fine, however, it is implemented
> > as a tcpwrapper application (ie: in.tftpd) and I am having trouble
> > getting it to resolve DNS names. I copied my /etc/hosts.allow and
> > /etc/hosts.deny in my chroot/etc folder, however, they only work
> > properly if I provide IP addresses. If I use FQDN, they fail.
> >
> > For instance, in hosts.allow:
> > in.tfptd: 192.168.1.101 allow
> >
> > works fine
> >
> > But the following fails
> > in.tftptd: eric.test.com allow
> >
> >
> > I'm assuming I am missing a library/libraries in my chroot jail,
> > but am not sure which ones. I've got all the libs req'd by ldd,
> > but I am guessing there is something else that I am missing.
>
>
> ---------- End Original Message ----------
>
> from a security standpoint i don't think you want to control access
> by fqdn.
> the name being given access is based on the inverse-map lookup
> (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so,
> this isn't controlled by the keepers of the "test.com" zone, rather,
> anyone can set up "eric.test.com" as an inverse entry for an ipnumber
> for which they control the in-addr.arpa records.
>
> i.e., putting an fqdn in the hosts.allow file only gives security by
> obscurity. if someone figures out the fqdns that you're giving access
> to, and has control of the in-addr.arpa for an ipnumber range they
> can connect from, they can gain access to your system.
>
> - Rick



Thanks for the feedback Rick.  I didn't realize that security implication. 
However I'm already running this on a machine that is heavily firewalled on 
a VPN so I am fairly sure that no one will be accessing this externally, but 
I still would like to restrict access to particular machines.  Ideally, 
would rather use FQDN to make life easier for me to administer.  I have 
created my additional reverse-dns pointer but I am still having problems 
with it.

nslookup from the server gives me:
# nslookup 192.168.3.103
Server:         192.168.1.67
Address:        192.168.1.67#53

103.3.168.192.in-addr.arpa    name = eric.test.com.3.168.192.in-addr.arpa.


However, when I try to connect to the tftp server, my connection is still 
refused, and I get the following in the log msgs:

Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 
192.168.103.103


I am obviously doing something still incorrect, but not sure what.

Can you help point me in the right direction please?  Is my reverse DNS 
incorrectly set up?

Thanks,

Eric