Bug #81132 MySQL doesn't allow access to host names that are just numeric
Submitted: 19 Apr 2016 2:58 Modified: 27 Jul 2016 15:01
Reporter: Jaime Sicam Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.5,5.6 OS:Any
Assigned to: CPU Architecture:Any

[19 Apr 2016 2:58] Jaime Sicam
Description:
Let's say I have a user called test that is allowed from domain "%.gf"
GRANT ALL PRIVILEGES ON *.* to test@'%.gf' identified by 'test123';
FLUSH PRIVILEGES;

Connection is allowed from host 11a1111.111.abc.def.gh but not on 1111111.111.abc.def.gh  and 
202.def.gh

How to repeat:
Test access from these hosts: 192.168.0.5, 192.168.0.32 and  192.168.0.212
192.168.0.5 1111111.111.abc.def.gh 
192.168.0.32 11a1111.111.abc.def.gh
192.168.0.32 202.def.gh

On DNS, forward and reverse DNS has been configured:
host 192.168.0.5
5.0.168.192.in-addr.arpa domain name pointer 1111111.111.abc.def.gh.

host 192.168.0.32
32.0.168.192.in-addr.arpa domain name pointer 11a1111.111.abc.def.gh.

host 192.168.0.212
212.0.168.192.in-addr.arpa domain name pointer 212.def.gh.

host 1111111.111.abc.def.gh
1111111.111.abc.def.gh has address 192.168.0.5

host 11a1111.111.abc.def.gh
11a1111.111.abc.def.gh has address 192.168.0.32

host 212.def.gh
212.def.gh has address 192.168.0.212

Testing via telnet from 192.168.0.5:
telnet 192.168.0.40 21690
Trying 192.168.0.40...
Connected to 192.168.0.40.
Escape character is '^]'.
DHost '192.168.0.5' is not allowed to connect to this MySQL serverConnection closed by foreign host.

Testing via telnet from 192.168.0.32:
telnet 192.168.0.40 21690
Trying 192.168.0.40...
Connected to 192.168.0.40.
Escape character is '^]'.
S
5.6.25-73.1-log	sk?;F1`?,-;"6+pv~88Pmysql_native_password

Testing via telnet from 192.168.0.212:
telnet 192.168.0.40 21690
Trying 192.168.0.40...
Connected to 192.168.0.40.
Escape character is '^]'.
FHost '192.168.0.212' is not allowed to connect to this MySQL serverConnection closed by foreign host.

Suggested fix:
Allow numeric host names
[21 Apr 2016 6:02] Jaime Sicam
I also got these warnings from the error log if it helps:
2016-04-19 02:26:02 5854 [Warning] IP address '192.168.0.5' has been resolved to the host name '1111111.111.abc.def.gh', which resembles IPv4-address itself.
2016-04-19 02:26:03 5854 [Warning] IP address '192.168.0.5' has been resolved to the host name '1111111.111.abc.def.gh', which resembles IPv4-address itself.
2016-04-19 02:39:52 5854 [Warning] IP address '192.168.0.212' has been resolved to the host name '212.def.gh', which resembles IPv4-address itself.
2016-04-19 02:49:44 5854 [Warning] IP address '192.168.0.5' has been resolved to the host name '1111111.111.abc.def.gh', which resembles IPv4-address itself.
2016-04-19 02:52:17 5854 [Warning] IP address '192.168.0.212' has been resolved to the host name '212.def.gh', which resembles IPv4-address itself.
[22 Apr 2016 2:17] Jaime Sicam
Sorry, test user should be: 
GRANT ALL PRIVILEGES ON *.* to test@'%.gh' identified by 'test123';
[2 May 2016 9:09] tsubasa tanaka
I seem this is designed behavior.

> Because you can use IP wildcard values in host values (for example, '192.168.1.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL disallows matching on host names that start with digits and a dot. Thus, if you have a host named something like 1.2.example.com, its name never matches the host part of account names. An IP wildcard value can match only IP addresses, not host names.

http://dev.mysql.com/doc/refman/5.5/en/account-names.html
http://dev.mysql.com/doc/refman/5.6/en/account-names.html
http://dev.mysql.com/doc/refman/5.7/en/account-names.html
[27 Jul 2016 15:01] MySQL Verification Team
These DNS names are not permitted. Please read this URL:

 http://dev.mysql.com/doc/refman/5.7/en/account-names.html

To quote one of the relevant parts of it:

"Because IP wildcard values are permitted in host values (for  example, '192.168.1.%' to match every host  on a subnet), someone could try to exploit this capability by           naming a host 192.168.1.somewhere.com. To foil such attempts, MySQL does not perform matching on host  names that start with digits and a dot. For example, if a host  is named 1.2.example.com, its name never  matches the host part of account names. An IP wildcard value  can match only IP addresses, not host names.         "