Re: Has anyone implemented "double forward DNS"?

From: Glynn Clements <glynn@gclements.plus.com>
To: Duncan Simpson <dps@simpson.demon.co.uk>
Cc: bugtraq@securityfocus.com
Subject: Re: Has anyone implemented "double forward DNS"?
Date:



Duncan Simpson wrote:

> Double reverse DNS, which checks the name found using reverse DNS matches the 
> IP adrdess enquired about is now common. I was wondering wether about has 
> applied the same technique to forward DNS queries too.
> 
> The idea here is that a client that finds www.example.com is 192.168.3.42 does 
> not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and 
> checks for a PTR record saying www.example.com. If one is not found then the 
> result is disinformation and should not be used. Of course if the bad guy also 
> controls the client's information about the reverse zone it still loses.
> 
> The major problem I can see is that there might that hosts in ISP's 
> dynamically allocated address pools might all fail double forward DNS checks. 
> OTOH if you were expecting your bank or a CA's server that might count as a 
> feature :-)

The major problem I can see is that it's not at all uncommon to have
dozens or even hundreds of hostnames all resolve to a single IP
address belonging to a shared server. Requesting a PTR record for that
IP address typically isn't going to give you the hostname you started
with.

-- 
Glynn Clements <glynn@gclements.plus.com>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.