| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200808300006.BAA19019@dps.demon.co.uk> Date: Sat, 30 Aug 2008 01:05:51 +0100 From: Duncan Simpson <dps@...pson.demon.co.uk> To: bugtraq@...urityfocus.com Subject: Has anyone implemented "double forward DNS"? Double reverse DNS, which checks the name found using reverse DNS matches the IP adrdess enquired about is now common. I was wondering wether about has applied the same technique to forward DNS queries too. The idea here is that a client that finds www.example.com is 192.168.3.42 does not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and checks for a PTR record saying www.example.com. If one is not found then the result is disinformation and should not be used. Of course if the bad guy also controls the client's information about the reverse zone it still loses. The major problem I can see is that there might that hosts in ISP's dynamically allocated address pools might all fail double forward DNS checks. OTOH if you were expecting your bank or a CA's server that might count as a feature :-) Browsers could implement this *now* and hopefully sreject at least some DNS disinformation. It would also help if web browser's displayed the information about who a valid certifciate correspnonds to somewhere prominently instead of just a padlock. My evil ID and banking detials theft site could have a valid cetificate and therefore fool users who just check for a valid SSL certificate. -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Powered by blists - more mailing lists