p2p: Use absolute FQDN for DNS seed domains #23268

pull ghost wants to merge 1 commits into bitcoin:master from changing 1 files +14 −14
  1. ghost commented at 3:35 PM on October 12, 2021: none

    Fixes #23193 by using absolute FQDN for domains used by DNS seeds.

    It improves security and should not break anything based on my research and testing. Few things about absolute FQDN are shared in https://superuser.com/questions/1467958/why-does-putting-a-dot-after-the-url-remove-login-information

    Master branch:

    DNS seed x9.dnsseed.bitcoin.dashjr.org. responded with IP 127.0.0.1

    PR branch:

    DNS seed x9.dnsseed.bitcoin.dashjr.org. responded with IP 159.89.108.149

    Reviewers can follow the steps mentioned in Issue to test: #23193 (comment)

  2. ghost commented at 3:35 PM on October 12, 2021: none

    @practicalswift did all the research and helped me with testing. There was weird behavior with Fedora which is explained in #23193 (comment)

    I just created this PR and added dots in the domains used by DNS seeds.

  3. DrahtBot added the label P2P on Oct 12, 2021
  4. DrahtBot added the label Validation on Oct 12, 2021
  5. luke-jr approved
  6. luke-jr commented at 7:41 PM on October 12, 2021: member

    utACK

  7. luke-jr commented at 7:58 PM on October 12, 2021: member

    You might consider rewriting this by appending the final period in ThreadDNSAddressSeed, rather than expecting the chainparams to have it for each entry. That seems safe and more mistake-resistant (eg, you forgot the testnet DNS seeds).

  8. kristapsk approved
  9. kristapsk commented at 7:59 PM on October 12, 2021: contributor

    utACK 04ef501ae030df490d419e3cf97b2dd34f2ec655

  10. MarcoFalke removed the label Validation on Oct 13, 2021
  11. practicalswift commented at 8:08 AM on October 13, 2021: contributor

    Concept ACK on fixing this issue @prayank23, you'll have to address all instances of git grep -E 'vSeeds.emplace_back\("[^"]+[a-z]"\);' if you want to fix this by taking the "add dots to vSeeds" route :)

    I see three different approaches to fixing this:

    • Specify seed node strings as FQDNs by appending . to the seed hostname strings in src/chainparams.cpp's vSeed.
    • Change from strprintf("x%x.%s", requiredServiceBits, seed) to strprintf("x%x.%s.", requiredServiceBits, seed) when building the seed hostname in CConnman::ThreadDNSAddressSeed().
    • Add a bool allow_non_fqdn argument to Lookup* functions, and automatically add a trailing . before passing the hostname string to getaddrinfo if !allow_non_fqdn. This approach would make the choice between FQDN vs "potentially non-FQDN" explicit.
  12. laanwj commented at 10:59 AM on October 13, 2021: member

    Concept ACK. No strong opinion on where to add the dots. But I think there's something to be said in keeping the domain lookup functionality generic and adding the dots at the source in chainparams (in case people want to specify non-FQDN domains in the configuration for their own local use), as it is now.

  13. ghost commented at 4:37 PM on October 13, 2021: none
    • Made changes in 4 domains used by testnet DNS seeds (L233-L236)
    • Added @practicalswift as co-author
  14. practicalswift commented at 9:37 AM on October 14, 2021: contributor

    @prayank23

    Still not complete I'm afraid: the signet DNS seed node is not changed :)

    This is the command I used locally to check the changes:

    $ sed -i 's/vSeeds.emplace_back("\(.*[a-z]\)");/vSeeds.emplace_back("\1.");/g' src/chainparams.cpp

    When doing the touch up you may drop me as co-author: I'm just an enthusiastic reviewer, and to not introduce confusion I think "co-author" tagging should be reserved to situations where the actual commit is written by multiple parties (such as when editing a cherry-picked commit from another author) :)

  15. practicalswift commented at 11:09 AM on October 14, 2021: contributor

    @prayank23

    Looks good now. Please squash into one commit and I'll do the final review :)

  16. ghost commented at 11:59 AM on October 14, 2021: none

    @practicalswift I did something wrong with squashing. Will fix it. Signet domain wasn't there because PR branch wasn't synced with master when I created pull request.

    I had added you as co-author because its a small change and was suggested by you. Will remove it if you aren't okay with it.

  17. unknown closed this on Oct 14, 2021
  18. Use absolute FQDN for DNS seed domains ca2c313aa2
  19. unknown reopened this on Oct 14, 2021
  20. practicalswift commented at 1:04 PM on October 14, 2021: contributor

    cr ACK ca2c313aa291ae44adc1b7148ed49125bdc77bf4

    Reviewed by comparing diff with sed -i 's/vSeeds.emplace_back("\(.*[a-z]\)");/vSeeds.emplace_back("\1.");/g' src/chainparams.cpp on local tree.

  21. laanwj commented at 12:28 PM on October 15, 2021: member

    code review ACK ca2c313aa291ae44adc1b7148ed49125bdc77bf4

  22. promag commented at 7:45 PM on October 15, 2021: member

    Code review ACK ca2c313aa291ae44adc1b7148ed49125bdc77bf4.

  23. fanquake merged this on Oct 16, 2021
  24. fanquake closed this on Oct 16, 2021
  25. delta1 referenced this in commit a5f6936dd9 on May 11, 2023
Contributors
ghostluke-jrkristapskpracticalswiftlaanwjpromag
Labels
P2P
Linked (view graph)
#23193 DNS seed node lookup is ambiguous in some (rare) scenarios
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 18:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me