lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <48BEBDE4.10304@freerun.com>
Date: Wed, 03 Sep 2008 09:40:04 -0700
From: Jerry Franz <jfranz@...erun.com>
To: bugtraq@...urityfocus.com
Subject: Re: Has anyone implemented "double forward DNS"?



Duncan Simpson wrote:

[...]
> The idea here is that a client that finds www.example.com is 192.168.3.42 does 
> not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and 
> checks for a PTR record saying www.example.com. If one is not found then the 
> result is disinformation and should not be used. Of course if the bad guy also 
> controls the client's information about the reverse zone it still loses.
[...]

Your proposal would cause a lot of trouble for sites using shared-ip 
virtual webhosting (read many, perhaps most, sites) since it could 
require potentially thousands (or more) of PTR records for each 
shared-ip webserver IP (which would do nasty things to DNS  in general).

-- 
Benjamin Franz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ