Bugtraq mailing list archives
Re: Has anyone implemented "double forward DNS"?
From: Jerry Franz <jfranz () freerun com>
Date: Wed, 03 Sep 2008 09:40:04 -0700
Duncan Simpson wrote: [...]
The idea here is that a client that finds www.example.com is 192.168.3.42 does not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and checks for a PTR record saying www.example.com. If one is not found then the result is disinformation and should not be used. Of course if the bad guy also controls the client's information about the reverse zone it still loses.
[...]Your proposal would cause a lot of trouble for sites using shared-ip virtual webhosting (read many, perhaps most, sites) since it could require potentially thousands (or more) of PTR records for each shared-ip webserver IP (which would do nasty things to DNS in general).
-- Benjamin Franz
Current thread:
- Has anyone implemented "double forward DNS"? Duncan Simpson (Sep 02)
- Re: Has anyone implemented "double forward DNS"? The Fungi (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar Wiechers (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Steven Bakker (Sep 05)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Jerry Franz (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Glynn Clements (Sep 03)
- Re: Has anyone implemented "double forward DNS"? terry white (Sep 03)