| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Sep 2008 01:25:46 +0100 From: Glynn Clements <glynn@...ements.plus.com> To: Duncan Simpson <dps@...pson.demon.co.uk> Cc: bugtraq@...urityfocus.com Subject: Re: Has anyone implemented "double forward DNS"? Duncan Simpson wrote: > Double reverse DNS, which checks the name found using reverse DNS matches the > IP adrdess enquired about is now common. I was wondering wether about has > applied the same technique to forward DNS queries too. > > The idea here is that a client that finds www.example.com is 192.168.3.42 does > not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and > checks for a PTR record saying www.example.com. If one is not found then the > result is disinformation and should not be used. Of course if the bad guy also > controls the client's information about the reverse zone it still loses. > > The major problem I can see is that there might that hosts in ISP's > dynamically allocated address pools might all fail double forward DNS checks. > OTOH if you were expecting your bank or a CA's server that might count as a > feature :-) The major problem I can see is that it's not at all uncommon to have dozens or even hundreds of hostnames all resolve to a single IP address belonging to a shared server. Requesting a PTR record for that IP address typically isn't going to give you the hostname you started with. -- Glynn Clements <glynn@...ements.plus.com>
Powered by blists - more mailing lists