lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 3 Sep 2008 03:42:32 +0000
From: The Fungi <fungi@...goth.org>
To: bugtraq@...urityfocus.com
Subject: Re: Has anyone implemented "double forward DNS"?

On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote:
[...]
> Of course if the bad guy also controls the client's information
> about the reverse zone it still loses.

Under what circumstances do you expect the attacker to be able to
spoof/poison responses for one query but not the other?

> The major problem I can see is that there might that hosts in
> ISP's dynamically allocated address pools might all fail double
> forward DNS checks.
[...]

How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
length...
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@...goth.org); IRC(fungi@....yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@...goth.org);
MUD(fungi@...arsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ