Forums & Discussions Home

    A place for members, communities, and committees to have discussions online and via e-mail.
    Click a category or topic to below to start the conversation...

    You are currently in view only mode for this forum. Please click the appropriate below to login as a member and participate. If you are not a member, please CLICK HERE for more information.


    Peter Schwarcz
    [SCHWARCZ Computer Services]
    When DDF starts, DB2 appears to do a reverse DNS lookup, that is
    GetHostByName().

    After an external security audit my customer was advised to turn the reverse
    DNS lookup OFF. Naturally, the next time DDF was started it failed so we
    turned the reverse lookup back on.

    Has anyone had to deal with this issue ?

    Is the GetHostByName a genuine security problem on OS/390 ?

    Is there a work around that will allow DB2 and DDF to resolve the host name
    without a reverse lookup ?

    Thanks in advance
    Regards,
    Peter Schwarcz



    Gerald Hodge
    Peter:

    Was there a reason given for turning the DNS lookup off? I have asked our
    TCPIP / JAVA expert and he is not aware of what exposure they were trying to
    close. How experienced was the actual person making the suggestion, not the
    firm, but the individual. Perhaps he sees DDF as an exposure? I know of one
    place where the new "expert" wanted no lines in or out to insure the safety
    of the system.

    Gerald Hodge
    HLS Technologies, Inc

    PS. Are you going to be at Lisbon?



    -----Original Message-----
    From: DB2 Data Base Discussion List
    [mailto:[login to unmask email]On Behalf Of Peter Schwarcz
    Sent: Tuesday, August 13, 2002 4:59 AM
    To: [login to unmask email]
    Subject: DB2 GetHostByName


    When DDF starts, DB2 appears to do a reverse DNS lookup, that is
    GetHostByName().

    After an external security audit my customer was advised to turn the reverse
    DNS lookup OFF. Naturally, the next time DDF was started it failed so we
    turned the reverse lookup back on.

    Has anyone had to deal with this issue ?

    Is the GetHostByName a genuine security problem on OS/390 ?

    Is there a work around that will allow DB2 and DDF to resolve the host name
    without a reverse lookup ?

    Thanks in advance
    Regards,
    Peter Schwarcz








    James Campbell
    Not that I know the answer to your question, but isn't a reverse DNS
    lookup gethostbyaddr? gethostbyname being a forward lookup.

    James Campbell


    On 13 Aug 2002 at 19:58, Peter Schwarcz wrote:

    > When DDF starts, DB2 appears to do a reverse DNS lookup, that is
    > GetHostByName().
    >
    > After an external security audit my customer was advised to turn the reverse
    > DNS lookup OFF. Naturally, the next time DDF was started it failed so we
    > turned the reverse lookup back on.
    >
    > Has anyone had to deal with this issue ?
    >
    > Is the GetHostByName a genuine security problem on OS/390 ?
    >
    > Is there a work around that will allow DB2 and DDF to resolve the host name
    > without a reverse lookup ?
    >
    > Thanks in advance
    > Regards,
    > Peter Schwarcz
    >
    >
    >



    Peter Schwarcz
    [SCHWARCZ Computer Services]
    Thanks James and Gerald,

    Ever vigilant you are correct, DB2 does a GetHostByAddr not GetHostByName

    From the DB2 V7 Installation Manual

    "DB2 Issues a gethostbyaddr using the local IP address obtained from the
    gethostid to obtain the fully qualified domain name. "

    Now the question stands:

    Is the GetHostByAddr a genuine security problem on OS/390 ?

    Gerald, I will try and find the author of the report and ask them to
    substantiate their statement. As to how experienced the actual person making
    the suggestion was, I do not like my chances of finding out, but exposing
    the man is always an option.

    Thanks,
    Peter Schwarcz


    -----Original Message-----
    From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
    Behalf Of James Campbell
    Sent: Tuesday, 13 August 2002 10:48 PM
    To: [login to unmask email]
    Subject: Re: DB2 GetHostByName

    Not that I know the answer to your question, but isn't a reverse DNS
    lookup gethostbyaddr? gethostbyname being a forward lookup.

    James Campbell


    On 13 Aug 2002 at 19:58, Peter Schwarcz wrote:

    > When DDF starts, DB2 appears to do a reverse DNS lookup, that is
    > GetHostByName().
    >
    > After an external security audit my customer was advised to turn the
    reverse
    > DNS lookup OFF. Naturally, the next time DDF was started it failed so we
    > turned the reverse lookup back on.
    >
    > Has anyone had to deal with this issue ?
    >
    > Is the GetHostByName a genuine security problem on OS/390 ?
    >
    > Is there a work around that will allow DB2 and DDF to resolve the host
    name
    > without a reverse lookup ?
    >
    > Thanks in advance
    > Regards,
    > Peter Schwarcz
    >
    >
    >










    Martin Wolff
    Did DDF actually fail or did it just complain and then carry on? We didn't
    initially give DDF superuser (ROOT access?) that DDF needs to issue a
    GetHostByAddr (perhaps there is their security issue) but DDF seems to still
    work fine. As far as I can see, the GetHostByAddr is only used to fill in
    all the details of the DSNL004I message at start-up. Apparently, you can't
    issue asynchronous I/O socket calls (whatever that might be) without being a
    superuser though DDF does work without them (in our case over 2 years!).

    The installation guide (Enable DDF for OpenEdition) does say:-

    Please note that DDF executes as an authorized program and is protected
    against any unauthorized use of this privilege by DDF users.

    If your security audit guys understand the authorized program concept, that
    may sway them to give DDF the access back, if not .....


    Martin Wolff.
    (Still) Global Crossing


    >When DDF starts, DB2 appears to do a reverse DNS lookup, that is
    >GetHostByName().

    >After an external security audit my customer was advised to turn the
    reverse
    >DNS lookup OFF. Naturally, the next time DDF was started it failed so we
    >turned the reverse lookup back on.

    >Has anyone had to deal with this issue ?

    >Is the GetHostByName a genuine security problem on OS/390 ?

    >Is there a work around that will allow DB2 and DDF to resolve the host name
    >without a reverse lookup ?

    >Thanks in advance
    >Regards,
    >Peter Schwarcz




    All Times America/New_York

    Copyright © 2014 IDUG. All Rights Reserved

    All material, files, logos and trademarks within this site are properties of their respective organizations.

    Terms of Service - Privacy Policy - Contact