Bug #60017 mysql rejects connections if dns autoritative for reverse ip>domain SERVFAIL
Submitted: 8 Feb 2011 19:10 Modified: 15 Jan 2013 14:32
Reporter: Jan Ksta Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.5.8 OS:Any
Assigned to: Matthew Lord CPU Architecture:Any

[8 Feb 2011 19:10] Jan Ksta 
Description:
Mysql server rejects connections if dns autoritative for reverse ip>domain returns SERVFAIL even if privilege is user@%

SERVFAIL should be treated as empty reverse domain for IP. 

Currently IPS responsible for dns resolving IP into domain can block all your outgoing mysql connections! Not good. It is also a security vulnerability

This could be fixed by running server with --skip-name-resolve but it would also break whole existing privilege system if it has hosts other then localhost (even host that are local (/etc/hosts)). That is no way to fix it.

Connected to mysql-server.com
Escape character is '^]'.
&Can't get hostname for your addressConnection closed by foreign host.

 nslookup 82.160.241.xxx
;; Got SERVFAIL reply from 213.133.98.98, trying next server
;; Got SERVFAIL reply from 213.133.99.99, trying next server
Server:         213.133.100.100
Address:        213.133.100.100#53

** server can't find 131.241.160.82.in-addr.arpa: SERVFAIL

How to repeat:
guess
[15 Jan 2013 14:32] Matthew Lord 
Hi Jan,

Thank you for the bug report!

SERVFAIL is an *error* returned by the reverse DNS lookup. This can be caused by a number of things (for example, you have multiple names assigned to the same IP in your reverse zone) and it IS a failure.

You are correct, however, in that we could consider adding a new feature where we DO accept SERVFAIL when the MySQL account being used has a host == '%'.

I will mark this as Not a Bug, as it is the intentional and documented behavior. Please let me know if you would like me to instead mark this as a verified feature request, and I will do that for you.

Thank you!

Matt