Bugtraq mailing list archives
Re: Has anyone implemented "double forward DNS"?
From: Glynn Clements <glynn () gclements plus com>
Date: Wed, 3 Sep 2008 01:25:46 +0100
Duncan Simpson wrote:
Double reverse DNS, which checks the name found using reverse DNS matches the IP adrdess enquired about is now common. I was wondering wether about has applied the same technique to forward DNS queries too. The idea here is that a client that finds www.example.com is 192.168.3.42 does not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and checks for a PTR record saying www.example.com. If one is not found then the result is disinformation and should not be used. Of course if the bad guy also controls the client's information about the reverse zone it still loses. The major problem I can see is that there might that hosts in ISP's dynamically allocated address pools might all fail double forward DNS checks. OTOH if you were expecting your bank or a CA's server that might count as a feature :-)
The major problem I can see is that it's not at all uncommon to have dozens or even hundreds of hostnames all resolve to a single IP address belonging to a shared server. Requesting a PTR record for that IP address typically isn't going to give you the hostname you started with. -- Glynn Clements <glynn () gclements plus com>
Current thread:
- Has anyone implemented "double forward DNS"? Duncan Simpson (Sep 02)
- Re: Has anyone implemented "double forward DNS"? The Fungi (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar Wiechers (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Steven Bakker (Sep 05)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Jerry Franz (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Glynn Clements (Sep 03)
- Re: Has anyone implemented "double forward DNS"? terry white (Sep 03)