Re: Has anyone implemented "double forward DNS"?

From: Glynn Clements <>
To: Duncan Simpson <>
Subject: Re: Has anyone implemented "double forward DNS"?

Duncan Simpson wrote:

> Double reverse DNS, which checks the name found using reverse DNS matches the 
> IP adrdess enquired about is now common. I was wondering wether about has 
> applied the same technique to forward DNS queries too.
> The idea here is that a client that finds is does 
> not trist this infiormation. Instead it looks up and 
> checks for a PTR record saying If one is not found then the 
> result is disinformation and should not be used. Of course if the bad guy also 
> controls the client's information about the reverse zone it still loses.
> The major problem I can see is that there might that hosts in ISP's 
> dynamically allocated address pools might all fail double forward DNS checks. 
> OTOH if you were expecting your bank or a CA's server that might count as a 
> feature :-)

The major problem I can see is that it's not at all uncommon to have
dozens or even hundreds of hostnames all resolve to a single IP
address belonging to a shared server. Requesting a PTR record for that
IP address typically isn't going to give you the hostname you started

Glynn Clements <>

Copyright © 1995-2018 All rights reserved.