Has anyone implemented "double forward DNS"?

From: Duncan Simpson <dps@simpson.demon.co.uk>
To: bugtraq@securityfocus.com
Cc:
Subject: Has anyone implemented "double forward DNS"?
Date:



Double reverse DNS, which checks the name found using reverse DNS matches the 
IP adrdess enquired about is now common. I was wondering wether about has 
applied the same technique to forward DNS queries too.

The idea here is that a client that finds www.example.com is 192.168.3.42 does 
not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and 
checks for a PTR record saying www.example.com. If one is not found then the 
result is disinformation and should not be used. Of course if the bad guy also 
controls the client's information about the reverse zone it still loses.

The major problem I can see is that there might that hosts in ISP's 
dynamically allocated address pools might all fail double forward DNS checks. 
OTOH if you were expecting your bank or a CA's server that might count as a 
feature :-)

Browsers could implement this *now* and hopefully sreject at least some DNS 
disinformation.

It would also help if web browser's displayed the information about who a 
valid certifciate correspnonds to somewhere prominently instead of just a 
padlock. My evil ID and banking detials theft site could have a valid 
cetificate and therefore fool users who just check for a valid SSL certificate.

-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."






Copyright © 1995-2021 LinuxRocket.net. All rights reserved.