Re: Has anyone implemented "double forward DNS"?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Has anyone implemented "double forward DNS"?
From: Jerry Franz <jfranz@xxxxxxxxxxx>
Date: Wed, 03 Sep 2008 09:40:04 -0700
In-reply-to: <200808300006.BAA19019@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200808300006.BAA19019@xxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.16 (X11/20080724)



Duncan Simpson wrote:

[...]

The idea here is that a client that finds www.example.com is 192.168.3.42 doesnot trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa andchecks for a PTR record saying www.example.com. If one is not found then theresult is disinformation and should not be used. Of course if the bad guy alsocontrols the client's information about the reverse zone it still loses.

[...]

Your proposal would cause a lot of trouble for sites using shared-ipvirtual webhosting (read many, perhaps most, sites) since it couldrequire potentially thousands (or more) of PTR records for eachshared-ip webserver IP (which would do nasty things to DNS in general).


--
Benjamin Franz

References:
- Has anyone implemented "double forward DNS"?
  - From: Duncan Simpson

Prev by Date: Re: In search of examples of malicious source code
Next by Date: Re: Has anyone implemented "double forward DNS"?
Previous by thread: Re: Has anyone implemented "double forward DNS"?
Next by thread: Re: Has anyone implemented "double forward DNS"?
Index(es):
- Date
- Thread