Double reverse DNS, which checks the name found using reverse DNS matches the
IP adrdess enquired about is now common. I was wondering wether about has
applied the same technique to forward DNS queries too.
The idea here is that a client that finds www.example.com is 192.168.3.42 does
not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and
checks for a PTR record saying www.example.com. If one is not found then the
result is disinformation and should not be used. Of course if the bad guy also
controls the client's information about the reverse zone it still loses.
The major problem I can see is that there might that hosts in ISP's
dynamically allocated address pools might all fail double forward DNS checks.
OTOH if you were expecting your bank or a CA's server that might count as a
feature :-)
Browsers could implement this *now* and hopefully sreject at least some DNS
disinformation.
It would also help if web browser's displayed the information about who a
valid certifciate correspnonds to somewhere prominently instead of just a
padlock. My evil ID and banking detials theft site could have a valid
cetificate and therefore fool users who just check for a valid SSL certificate.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
Double reverse DNS, which checks the name found using reverse DNS matches the
IP adrdess enquired about is now common. I was wondering wether about has
applied the same technique to forward DNS queries too.
The idea here is that a client that finds www.example.com is 192.168.3.42 does
not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and
checks for a PTR record saying www.example.com. If one is not found then the
result is disinformation and should not be used. Of course if the bad guy also
controls the client's information about the reverse zone it still loses.
The major problem I can see is that there might that hosts in ISP's
dynamically allocated address pools might all fail double forward DNS checks.
OTOH if you were expecting your bank or a CA's server that might count as a
feature :-)
Browsers could implement this *now* and hopefully sreject at least some DNS
disinformation.
It would also help if web browser's displayed the information about who a
valid certifciate correspnonds to somewhere prominently instead of just a
padlock. My evil ID and banking detials theft site could have a valid
cetificate and therefore fool users who just check for a valid SSL certificate.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
[ reply ]