DB2 GetHostByName

Peter Schwarcz

DB2 GetHostByName
When DDF starts, DB2 appears to do a reverse DNS lookup, that is
GetHostByName().

After an external security audit my customer was advised to turn the reverse
DNS lookup OFF. Naturally, the next time DDF was started it failed so we
turned the reverse lookup back on.

Has anyone had to deal with this issue ?

Is the GetHostByName a genuine security problem on OS/390 ?

Is there a work around that will allow DB2 and DDF to resolve the host name
without a reverse lookup ?

Thanks in advance
Regards,
Peter Schwarcz



Gerald Hodge

Re: DB2 GetHostByName
(in response to Peter Schwarcz)
Peter:

Was there a reason given for turning the DNS lookup off? I have asked our
TCPIP / JAVA expert and he is not aware of what exposure they were trying to
close. How experienced was the actual person making the suggestion, not the
firm, but the individual. Perhaps he sees DDF as an exposure? I know of one
place where the new "expert" wanted no lines in or out to insure the safety
of the system.

Gerald Hodge
HLS Technologies, Inc

PS. Are you going to be at Lisbon?



-----Original Message-----
From: DB2 Data Base Discussion List
[mailto:[login to unmask email]On Behalf Of Peter Schwarcz
Sent: Tuesday, August 13, 2002 4:59 AM
To: [login to unmask email]
Subject: DB2 GetHostByName


When DDF starts, DB2 appears to do a reverse DNS lookup, that is
GetHostByName().

After an external security audit my customer was advised to turn the reverse
DNS lookup OFF. Naturally, the next time DDF was started it failed so we
turned the reverse lookup back on.

Has anyone had to deal with this issue ?

Is the GetHostByName a genuine security problem on OS/390 ?

Is there a work around that will allow DB2 and DDF to resolve the host name
without a reverse lookup ?

Thanks in advance
Regards,
Peter Schwarcz








James Campbell

Re: DB2 GetHostByName
(in response to Gerald Hodge)
Not that I know the answer to your question, but isn't a reverse DNS
lookup gethostbyaddr? gethostbyname being a forward lookup.

James Campbell


On 13 Aug 2002 at 19:58, Peter Schwarcz wrote:

> When DDF starts, DB2 appears to do a reverse DNS lookup, that is
> GetHostByName().
>
> After an external security audit my customer was advised to turn the reverse
> DNS lookup OFF. Naturally, the next time DDF was started it failed so we
> turned the reverse lookup back on.
>
> Has anyone had to deal with this issue ?
>
> Is the GetHostByName a genuine security problem on OS/390 ?
>
> Is there a work around that will allow DB2 and DDF to resolve the host name
> without a reverse lookup ?
>
> Thanks in advance
> Regards,
> Peter Schwarcz
>
>
>



Peter Schwarcz

Re: DB2 GetHostByName
(in response to James Campbell)
Thanks James and Gerald,

Ever vigilant you are correct, DB2 does a GetHostByAddr not GetHostByName

From the DB2 V7 Installation Manual

"DB2 Issues a gethostbyaddr using the local IP address obtained from the
gethostid to obtain the fully qualified domain name. "

Now the question stands:

Is the GetHostByAddr a genuine security problem on OS/390 ?

Gerald, I will try and find the author of the report and ask them to
substantiate their statement. As to how experienced the actual person making
the suggestion was, I do not like my chances of finding out, but exposing
the man is always an option.

Thanks,
Peter Schwarcz


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
Behalf Of James Campbell
Sent: Tuesday, 13 August 2002 10:48 PM
To: [login to unmask email]
Subject: Re: DB2 GetHostByName

Not that I know the answer to your question, but isn't a reverse DNS
lookup gethostbyaddr? gethostbyname being a forward lookup.

James Campbell


On 13 Aug 2002 at 19:58, Peter Schwarcz wrote:

> When DDF starts, DB2 appears to do a reverse DNS lookup, that is
> GetHostByName().
>
> After an external security audit my customer was advised to turn the
reverse
> DNS lookup OFF. Naturally, the next time DDF was started it failed so we
> turned the reverse lookup back on.
>
> Has anyone had to deal with this issue ?
>
> Is the GetHostByName a genuine security problem on OS/390 ?
>
> Is there a work around that will allow DB2 and DDF to resolve the host
name
> without a reverse lookup ?
>
> Thanks in advance
> Regards,
> Peter Schwarcz
>
>
>










Martin Wolff

Re: DB2 GetHostByName
(in response to Peter Schwarcz)
Did DDF actually fail or did it just complain and then carry on? We didn't
initially give DDF superuser (ROOT access?) that DDF needs to issue a
GetHostByAddr (perhaps there is their security issue) but DDF seems to still
work fine. As far as I can see, the GetHostByAddr is only used to fill in
all the details of the DSNL004I message at start-up. Apparently, you can't
issue asynchronous I/O socket calls (whatever that might be) without being a
superuser though DDF does work without them (in our case over 2 years!).

The installation guide (Enable DDF for OpenEdition) does say:-

Please note that DDF executes as an authorized program and is protected
against any unauthorized use of this privilege by DDF users.

If your security audit guys understand the authorized program concept, that
may sway them to give DDF the access back, if not .....


Martin Wolff.
(Still) Global Crossing


>When DDF starts, DB2 appears to do a reverse DNS lookup, that is
>GetHostByName().

>After an external security audit my customer was advised to turn the
reverse
>DNS lookup OFF. Naturally, the next time DDF was started it failed so we
>turned the reverse lookup back on.

>Has anyone had to deal with this issue ?

>Is the GetHostByName a genuine security problem on OS/390 ?

>Is there a work around that will allow DB2 and DDF to resolve the host name
>without a reverse lookup ?

>Thanks in advance
>Regards,
>Peter Schwarcz