Re: Has anyone implemented "double forward DNS"?

From: The Fungi <fungi@yuggoth.org>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: Has anyone implemented "double forward DNS"?
Date:


On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote:
[...]
> Of course if the bad guy also controls the client's information
> about the reverse zone it still loses.

Under what circumstances do you expect the attacker to be able to
spoof/poison responses for one query but not the other?

> The major problem I can see is that there might that hosts in
> ISP's dynamically allocated address pools might all fail double
> forward DNS checks.
[...]

How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
length...
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.