Duncan Simpson wrote:

> Double reverse DNS, which checks the name found using reverse DNS matches the
> IP adrdess enquired about is now common. I was wondering wether about has
> applied the same technique to forward DNS queries too.
>
> The idea here is that a client that finds www.example.com is 192.168.3.42 does
> not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and
> checks for a PTR record saying www.example.com. If one is not found then the
> result is disinformation and should not be used. Of course if the bad guy also
> controls the client's information about the reverse zone it still loses.
>
> The major problem I can see is that there might that hosts in ISP's
> dynamically allocated address pools might all fail double forward DNS checks.
> OTOH if you were expecting your bank or a CA's server that might count as a
> feature :-)

The major problem I can see is that it's not at all uncommon to have
dozens or even hundreds of hostnames all resolve to a single IP
address belonging to a shared server. Requesting a PTR record for that
IP address typically isn't going to give you the hostname you started
with.

--
Glynn Clements <glynn (at) gclements.plus (dot) com [email concealed]>

[ reply ]