Ubuntu
bind9 package

Extra output from host command causes issue with ssh

Bug #1952131 reported by Dr Philip J Naylor
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Coincident with the host command now outputing the names and IP addresses of the DNS servers, as well
as the host information requested, ssh seems to be getting the same (multi-line) response which it then
treats as a round-robin response. As a result, if the host is down, the ssh connection is redirected
to the first DNS server in the list, resulting in a "possible DNS spoofing" error.

This is with the packages:

bind9-dnsutils 1:9.16.1-0ubuntu2.9 amd64 Clients provided with BIND 9
bind9-host 1:9.16.1-0ubuntu2.9 amd64 DNS Lookup Utility
bind9-libs:amd64 1:9.16.1-0ubuntu2.9 amd64 Shared Libraries used by BIND 9
openssh-client 1:8.2p1-4ubuntu0.3 amd64 secure shell (SSH) client, for secure access to remote machines

On:

Description: Ubuntu 20.04.3 LTS
Release: 20.04

Expected result:
"connection timed out" error.

Actual result:
"possible DNS spoofing" error.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: bind9-host 1:9.16.1-0ubuntu2.9
Uname: Linux 5.10.60.1-microsoft-standard-WSL2 x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
Date: Wed Nov 24 15:48:40 2021
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: bind9
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Dr Philip J Naylor (p-j-naylor) wrote :
Revision history for this message
Paride Legovini (paride) wrote :

Hello and thanks for this bug report. I'm not aware of any change in the the 'host' command output, and indeed it seems to be the usual one to me:

root@paride-f:~# host ubuntu.com
ubuntu.com has address 91.189.88.181
ubuntu.com has address 185.125.190.29
ubuntu.com has address 185.125.190.21
ubuntu.com has address 185.125.190.20
ubuntu.com has address 91.189.88.180
ubuntu.com has IPv6 address 2001:67c:1360:8001::2c
ubuntu.com has IPv6 address 2001:67c:1360:8001::2b
ubuntu.com mail is handled by 10 mx.canonical.com.

This on a Focal system with bind9-dnsutils 1:9.16.1-0ubuntu2.9. Could you please copy/paste what's the output of the same command for you? I see you're using WSL, maybe the resolver is behaving oddly there? Thanks!

Changed in bind9 (Ubuntu):
status: New → Incomplete
Revision history for this message
Paride Legovini (paride) wrote :

Also: what's the output if you explicitly specify the DNS server to query? E.g.

root@paride-f:~# host ubuntu.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:

ubuntu.com has address 91.189.88.181
ubuntu.com has address 185.125.190.20
ubuntu.com has address 185.125.190.29
ubuntu.com has address 91.189.88.180
ubuntu.com has address 185.125.190.21
ubuntu.com has IPv6 address 2001:67c:1360:8001::2b
ubuntu.com has IPv6 address 2001:67c:1360:8001::2c
ubuntu.com mail is handled by 10 mx.canonical.com.

Revision history for this message
Dr Philip J Naylor (p-j-naylor) wrote :
Download full text (3.3 KiB)

Extra command results as requested (this is indeed on WSL2):

pjn:~$ host ubuntu.com
ubuntu.com has address 91.189.88.180
ubuntu.com has address 91.189.88.181
ubuntu.com has address 185.125.190.20
ubuntu.com has address 185.125.190.29
ubuntu.com has address 185.125.190.21
ns1.canonical.com has address 91.189.94.173
ns2.canonical.com has address 91.189.95.3
ns3.canonical.com has address 91.189.91.139
ubuntu.com has IPv6 address 2001:67c:1360:8001::2c
ubuntu.com has IPv6 address 2001:67c:1360:8001::2b
ns1.canonical.com has address 91.189.94.173
ns2.canonical.com has address 91.189.95.3
ns3.canonical.com has address 91.189.91.139
ubuntu.com mail is handled by 10 mx.canonical.com.
ns1.canonical.com has address 91.189.94.173
ns2.canonical.com has address 91.189.95.3
ns3.canonical.com has address 91.189.91.139

pjn:~$ host ubuntu.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:

ubuntu.com has address 185.125.190.21
ubuntu.com has address 185.125.190.29
ubuntu.com has address 185.125.190.20
ubuntu.com has address 91.189.88.181
ubuntu.com has address 91.189.88.180
ubuntu.com has IPv6 address 2001:67c:1360:8001::2b
ubuntu.com has IPv6 address 2001:67c:1360:8001::2c
ubuntu.com mail is handled by 10 mx.canonical.com.

And, the result of trying to connect to a down host:

pjn:~$ ping woden.chm.bris.ac.uk
PING woden.chm.bris.ac.uk (137.222.47.3) 56(84) bytes of data.
^C
--- woden.chm.bris.ac.uk ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6249ms

pjn:~$ host woden.chm.bris.ac.uk
woden.chm.bris.ac.uk has address 137.222.47.3
irix.bris.ac.uk has address 137.222.8.143
ncs.bris.ac.uk has address 137.222.8.142
ns3.ja.net has address 193.63.106.103
irix.bris.ac.uk has IPv6 address 2001:630:e4:82:137:222:8:143
ncs.bris.ac.uk has IPv6 address 2001:630:e4:82:137:222:8:142
ns3.ja.net has IPv6 address 2001:630:0:46::67

pjn:~$ ssh woden.chm.bris.ac.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for woden.chm.bris.ac.uk has changed,
and the key for the corresponding IP address 137.222.8.143
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/pjn/.ssh/known_hosts:1982
  remove with:
  ssh-keygen -f "/home/pjn/.ssh/known_hosts" -R "137.222.8.143"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uWlUoRB1FzEfprXfQ/hmU9B70YlhGoOBq+VeVYluclI.
Please contact your system administrator.
Add correct host key in /home/pjn/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/pjn/.ssh/known_hosts:2029
  remove with:
  ssh-keygen -f "/home/pjn/.ssh/kn...

Read more...

Revision history for this message
Dr Philip J Naylor (p-j-naylor) wrote :

Further investigation indicates that this looks to be something weird about the WSL2 resolver implementation.
Replacing the out of the box /etc/resolv.conf (which uses the host computer as a name server) with one
using an external name server (e.g. 8.8.8.8) restores the expected behaviour.

I guess I'll need to raise this with Microsoft instead.

Revision history for this message
Dr Philip J Naylor (p-j-naylor) wrote (last edit ):

Looks like this is already logged as issue #7658 - https://github.com/microsoft/WSL/issues/7658

Revision history for this message
Paride Legovini (paride) wrote :

Thanks for the follow-up. As this doesn't seem to be a bug in Ubuntu, and that I doubt that a (sane) workaround can be implemented on the Ubuntu side, I'm marking this bug report as Invalid. Should you not agree please do not hesitate to change the bug status back to New and share your reasoning, we'll look at it again. Thanks!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.