We help IT Professionals succeed at work.

telnet AND DNS namelookup

I've some Linux systems with different telnet executables. These telnet differ slightly in size (67776 vs. 65360), and the use of libncurses.so (.6 vs .5).
My problem is that one of them makes an DNS lookup for each host, even if given as IP-address. This is annoying, 'cause it may timeout after 20 seconds.

Keep in mind that this has nothing to do with a DNS server and/or /etc/hosts and/or /etc/nsswitch.conf 'cause it happens always for the one telnet and not for the othet on the same machine.

Does anybody know when this behaviour was changed, and if there is a possibility to switch it of (lik it was possible in ancient SunOS4.x)?
Where are the sources of telnet?
Comment
Watch Question

Top Expert 2005

Commented:
Is it the telnet client or telnet daemon that is doing the DNS lookup (as evidenced by a sniffer trace taken on the client system)? And do you really have more than one version of the telnet client on a single machine? So far as I know that would imply that someone has installed a second telnet executable and that would make me think of a cracker right away (i.e., a trojan for password stealing). I think I'd be looking at sniffer traces and trussing the aberant telnet executable to make sure that I understood exactly what it is doing.

I don't know if it is universal across Linux distros, but RedHat uses the telnet sources from the netkit distribution (ftp://ftp.uk.linux.org/pub/linux/Networking).

Commented:
Heh, mine does that too, weird.

You can confirm that yours is doing that by running "strace telnet 12.34.56.78 >& telnet.strace",
hitting ^C after a couple seconds, and then searching the log file for a connect(..., sin_port=htons(53), ...) immediately followed by a send(...) (that's a DNS lookup).
CERTIFIED EXPERT

Author

Commented:
> Is it the telnet client or telnet daemon ..
telnet, as I said, prooved approx. with tcpdump, explicit with strace

> .. do you really have more than one version ..
Of course :-))

> ..hat would imply that someone has installed a second telnet ..
True. I'm pretty shure it was the admin (hmm, that's me:)
So, forget anytrhing about cracker, trojan, etc.

> .. looking at sniffer traces and trussing ..
see previous comment from interiot

BTW, both telnets are from SuSE distribution, working one from 6.4, bad one from 7.x
CERTIFIED EXPERT

Author

Commented:
still listening ..
CERTIFIED EXPERT

Author

Commented:
still listening
Top Expert 2005

Commented:
Hmmm, is the telnetd that is doing the lookup on the 7.x systems and does 7.x use xinetd? If it is try commenting out the 'log_on_failure  += USERID' or any other 'log" lines. It may not be the telnet daemon that's doing the lookup. Also tcpwrappers can cause a DNS lookup if they are installed.

One other possibility would be something in one of the system libraries and not telnetd, per se.
CERTIFIED EXPERT

Author

Commented:
jlevie, thanks for being back.
As said before it is telnet itself, not any lib (I simply copied telnet from one host to the other, but no libs, see previous comment)
Also, what do you mean by 7.x system, RH, SuSE?
AFAIK this doesn't matter 'cause I have the same behaviour just by copying telnetd.
Top Expert 2005

Commented:
Okay, my reference to 7.x is in response to your statement that you were using "SuSE distribution, working one from 6.4, bad one from 7.x".

My understanding right now is that you can copy only the telnet executable from a 6.4 system to, say, a 7.x system, and not have the problem. But if you copy the telnet executable from 7.x to a 6.4 system the problem occurs there and on the 7.x system. In other words the problem follows the 7.x version of telnet regardless of the OS version. Correct?

Obviously that behaviour casts the blame on the the telnet code. My guess, without researching it, is that SuSE is using the Netkit telnet like RedHat and Mandrake. At least I can duplicate the behaviour you see on my RedHat 7.2 system. I've got the Netkit telnet distribution but haven't have time yet to take more than a cursory look at the code. Perhaps later today or tomorrow.
CERTIFIED EXPERT

Author

Commented:
Correct !
CERTIFIED EXPERT

Author

Commented:
.. still listening ..
CERTIFIED EXPERT

Author

Commented:
.. listening ..
Gns
CERTIFIED EXPERT

Commented:
What type of lookup is it?

I'd think that a simple revers-lookup would be pretty inocuous(sp?) in the eyes of a programmer.
Hm, seems I'll have to dig up the code and have a look...

-- Glenn
Top Expert 2005

Commented:
I know you probably thought that I'd forgotten about this, but I hadn't. I finally had the time to do a bit of research on this. I've looked at the netkit-telnet sources for 0.14-0.17, which is what RedHat uses. And all of those do a gethostbyaddr() on the IP of the connected client. That, of course, will do a DNS reverse lookup if DNS is enabled on the system and the client is not in the local hosts file (assuming the host resolution order is files, then DNS).

I haven't been able to find the telnetd sources for a SuSE 6.4 distribution, but my assumption is that they either didn't use netkit-telnet-0.14 or later, or the sources were modified not to do a gethostbyaddr().
CERTIFIED EXPERT

Author

Commented:
nice to see you back ;-)

'cause both my telnets are SuSE, I think that they may be modified there (I'll try to check that out, will take time, and probably will not be answered by SuSE).
Think that we can be shure that SuSE tries to avoid adopting RH sources (for political reason)-:

Anyway, IMHO this nasty behaviour needs to be fixed, somewhere (telnet, netkit, nsswitch.conf), somehow ...
I'm realy interested why there're different versions of telnet (or the used net-libries), and why this is a problem just for Linux.
Top Expert 2005

Commented:
As far as I know the netkit-telnet sources aren't "RedHat sources" and are used by some of the other distro's. I know that the original work wasn't done by RedHat personnel, although they may well have been the major contributor recently. If I could have found the SuSE src for 6.4 I'd have looked at that, but I couldn't find it anywhere. If you have those sources I'd be glad to examine them to see what they use and how it works.
CERTIFIED EXPERT

Author

Commented:
I've SuSE distros: 5.3, 6.2, 6.4, 7.3
but didn't find sources for telnet.
Can you give me a hint about the name?
Gns
CERTIFIED EXPERT

Commented:
RH6.1 doesn't seem to have this "annoyance". It uses (to my knowledge netkit-) telnet-0.10, I might be able to "scrounge up" an RH6.2 too.
I'll have a look at the sources too.

-- Glenn
Gns
CERTIFIED EXPERT

Commented:
RH6.2 moved right along it seems. The telnet package is named telnet-0.16, which would mean that the gethostbyaddr would be present.

-- Glenn
CERTIFIED EXPERT

Author

Commented:
argh, telnet <ip>  works since roughly 30 years on any kind of UNIX like a charme. Just (some) Linux sucks :-(
And I cannot find any valuable source for telnet ...
Gns
CERTIFIED EXPERT

Commented:
Roughly it is, ARPA wasn't founded in -72;-).

It seems to me that most Linuces (and anything else) based on netkit-0.<somewhere between 10 and 14> would "suck" in this respect.

I found a source rpm "update" to RH6.0 with telnet-0.10 (if you don't mind the swedish mirror) at http://ftp.sunet.se/pub/Linux/distributions/redhat/redhat/linux/updates/6.0/en/os/SRPMS/telnet-0.10-29.src.rpm

netkit-base-0.10 etc should be there too.

-- Glenn
Gns
CERTIFIED EXPERT

Commented:
If I understand the 0.10 code (I might have lost my way in all the #ifs:-), the only time gethostbyaddr would have been called is if aliasp is non-null (ie the -b <hostalias> has been given, to fool any remote IPADDRESS based "authentication").

I'll have to dig up some newer source and compare what happens there.

-- Glenn
Gns
CERTIFIED EXPERT

Commented:
Ah yes, using the -b option is verified to trigger the namelookup "badness" (using strace) for telnet-0.10.

-- Glenn
Top Expert 2005

Commented:
It seems to me that the easy solution would be an upgrade to the current netkit-telnet (0.17). On an older Linux one would have to build it from source, but it doesn't do a gratuitous gethostbyaddr(). One can get the netkit-telnet-0.17 sources from ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/
Gns
CERTIFIED EXPERT

Commented:
Or (assuming "order hosts, bind) you could easily dream up a wrapper script that gratuituously adds a dummy entry for the entry to /etc/hosts, tidying up on program exit:-). Not a recommendation.

Gurp. I just checked what the telnet-0.10 source package really contained (blush). Turns out that RH6.1 don't seem to use the "standard bsd netkit". There is a C++ netkit-0.10 tarball and a telnet-0.10 tarball (OpenBSD?!) and some patchfiles. So RH6.1 does not use the netkit telnet. RH7.1 (with apropriate patches) use netkit-0.17 that does not evince the problem. I don't think 0.16 does either (couldn't find it in the source, but hey, my mind might have been addled going from heavily #if spattered C source to C++).

-- Glenn
CERTIFIED EXPERT

Author

Commented:
well, according to comments so far, it seems that no Linux distro uses original BSD telnet :-(
Even the different version of the same distros differ :-((

Keep on posting. I'll promise that I make a summary of this thread when I come (near) a solution.
Top Expert 2005

Commented:
I think what happened is that somewhere in the evolution of netkit telnet the gratituous gethostbyaddr crept in, sometime after 0.10. And sometime later, apparently by 0.16, the problem was noticed and fixed.
CERTIFIED EXPERT

Author

Commented:
did a quick check on the 0.10 and 0.17 netkit source files: only telnet/commands.cc contains gethostbyname() but if-else'd by inet_aton(), the diff just shows formal changes.

IIRC, my truss (strace) of telnet showed gethostbyaddr().
Does this mean, that both version are the one I'm looking for?
Top Expert 2005
Commented:
That appears to be what it is looking like right now. In choosing between the two versions, I'd go for the 0.17 as there were security fixes prior to 0.17.
Gns
CERTIFIED EXPERT

Commented:
Yes... More trivia, and one clarification: (Clarification regarding RH6.1) Whether netkit-telnet-0.10 or "openbsd" telnet-0.10 is used, it is only when the "-b alias" option is used that a gethostbyaddr will be called. Seems that the telnet "in use" is the (plain C) "opembsd" variant.
Mdk8.1 telnet comes from a package named telnet-client-krb5-1.2.2-11mdk, which seems to be "something completely different" (to paraphrase Monty Python:-).It has the annoying gratuituous gethostbyaddr. It is built from the krb5-1.2.2-11mdk.src.rpm file... Now looking at source... Aha, here we are back to the C sources of "telnet-0.10", with an added twist: After the connect() has succeded, it (always) does a gethostbyaddr() to get the remote hostname... If I understand the packets toplevel README correctly, it is to satisfy some kerberos "madness".
Yes, this explains a lot.

Might it be that SuSE 7.0 has "kerberized" telnet?
--Glenn
CERTIFIED EXPERT

Author

Commented:
even this is not an answer to what I asked for, I'll close this question 'cause there seem no telnet-developers hanging arrouond here ;-)
This suggestion was the closest to a workaround.

Thanks everybody participating ...