lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Sep 2008 15:34:16 +0200
From: Ansgar -59cobalt- Wiechers <bugtraq@...netcobalt.net>
To: bugtraq@...urityfocus.com
Subject: Re: Has anyone implemented "double forward DNS"?

On 2008-09-03 Ansgar Wiechers wrote:
> On 2008-08-30 Duncan Simpson wrote:
>> Double reverse DNS, which checks the name found using reverse DNS
>> matches the IP adrdess enquired about is now common. I was wondering
>> wether about has applied the same technique to forward DNS queries
>> too.
>> 
>> The idea here is that a client that finds www.example.com is
>> 192.168.3.42 does not trist this infiormation. Instead it looks up
>> 42.3.168.192.in-addr.arpa and checks for a PTR record saying
>> www.example.com. If one is not found then the result is disinformation
>> and should not be used.
> 
> Wrong.
> 
> cobalt@...ome:~ $ host www.planetcobalt.net
> www.planetcobalt.net    CNAME   chrome.planetcobalt.net
> chrome.planetcobalt.net CNAME   planetcobalt.net
> planetcobalt.net        A       217.10.9.49
> cobalt@...ome:~ $ host 49.9.10.217.in-addr.arpa
> 49.9.10.217.in-addr.arpa        PTR     mail.planetcobalt.net
> cobalt@...ome:~ $ host mail.planetcobalt.net
> mail.planetcobalt.net   A       217.10.9.49
> cobalt@...ome:~ $ _
> 
> You can have multiple names resolving to the same IP address, but just
> one PTR record mapping that address back to a name.

It was pointed out to me in private that, of course, you can have
multiple PTR records mapping one address to different names. My bad.

However, since oftentimes (colocation scenarios for instance) forward
and reverse zone have different maintainers, it's some hassle to keep
the reverse zone in sync with the forward zone. Thus I have my doubts
that proper reverse mappings for every name will become common practice
anytime soon.

Anyway, I apologize again for the misinformation in my previous mail.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ