http://www.stackoverflow.com./ does not work, notice trailing dot.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Should servers be configured to deny any URLs without a trailing dot? (Without the trailing dot they are not FQDNs, per RFCs, they are relative domain names.)
Could not a rogue DHCP server could push a dns suffix search path to clients and exploit this?
Assuming a rogue DHCP server was able to push the dns search suffix of "evildomain.com", a user going to chase.com, would then result in going to "chase.com.evildomain.com." A user going to "chase.com." (with trailing dot, its a FQDN) would not be vulnerable to this exploit.
Just about every URL I see published in the media is relative (as the trailing dot is not explicit, and only becomes a true FQDN once trailing dot is added by the underlying libraries).
Should we not enforce absolute domain names, or FQDNs, as much as possible?
On Windows, could not a malicious webserver simply change an end user's dns suffix search path? on *nix boxes, privilege escalation would be needed to update resolv.conf (where dns search suffixes are configured), but would nix users not still be vulnerable to a DHCP spoofing scenario?
Whenever I configure anything that accepts a DNS domain name, I include the trailing dot. Some systems reject this in their attempts to validate the input, which is a shame. Windows clients that rely on DNS devolution for AD-walking can be troublesome, if you have a two-part domain suffix. MS have documented workarounds.
Reference resolv.conf... The equivalent Windows configuration also requires privilege elevation to effect a change.
Yes, this is a vulnerability. No, servers should not stop offering content when queried using internet relative domain names.
Trying to figure out if a name is internet relative or just relative is not a problem with a good stateless general solution. A bad stateless solution is to abolish the use of all relative naming. Relative names exist for valid reasons.
Care should be taken to ensure that the using FQDN results in the same content as the internet relative domain name. This is mostly an issue for
httpservers.If you want to be zealous without being obnoxious:
308or301on your webservers to point clients in the right direction.By default DNS clients try queries containing at least one dot as FQDN first before trying the search path.