Re: Has anyone implemented "double forward DNS"?

From: The Fungi <>
Subject: Re: Has anyone implemented "double forward DNS"?

On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote:
> Of course if the bad guy also controls the client's information
> about the reverse zone it still loses.

Under what circumstances do you expect the attacker to be able to
spoof/poison responses for one query but not the other?

> The major problem I can see is that there might that hosts in
> ISP's dynamically allocated address pools might all fail double
> forward DNS checks.

How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(; IRC(; ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(;
MUD(; WWW(; }

Copyright © 1995-2018 All rights reserved.