Re: Has anyone implemented "double forward DNS"?

From: Jerry Franz <jfranz@freerun.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Has anyone implemented "double forward DNS"?
Date:




Duncan Simpson wrote:

[...]
> The idea here is that a client that finds www.example.com is 192.168.3.42 does 
> not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and 
> checks for a PTR record saying www.example.com. If one is not found then the 
> result is disinformation and should not be used. Of course if the bad guy also 
> controls the client's information about the reverse zone it still loses.
[...]

Your proposal would cause a lot of trouble for sites using shared-ip 
virtual webhosting (read many, perhaps most, sites) since it could 
require potentially thousands (or more) of PTR records for each 
shared-ip webserver IP (which would do nasty things to DNS  in general).

-- 
Benjamin Franz





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.