Re: Has anyone implemented "double forward DNS"?
On 2008-09-03 Ansgar Wiechers wrote:
> On 2008-08-30 Duncan Simpson wrote:
>> Double reverse DNS, which checks the name found using reverse DNS
>> matches the IP adrdess enquired about is now common. I was wondering
>> wether about has applied the same technique to forward DNS queries
>> too.
>>
>> The idea here is that a client that finds www.example.com is
>> 192.168.3.42 does not trist this infiormation. Instead it looks up
>> 42.3.168.192.in-addr.arpa and checks for a PTR record saying
>> www.example.com. If one is not found then the result is disinformation
>> and should not be used.
>
> Wrong.
>
> cobalt@chrome:~ $ host www.planetcobalt.net
> www.planetcobalt.net CNAME chrome.planetcobalt.net
> chrome.planetcobalt.net CNAME planetcobalt.net
> planetcobalt.net A 217.10.9.49
> cobalt@chrome:~ $ host 49.9.10.217.in-addr.arpa
> 49.9.10.217.in-addr.arpa PTR mail.planetcobalt.net
> cobalt@chrome:~ $ host mail.planetcobalt.net
> mail.planetcobalt.net A 217.10.9.49
> cobalt@chrome:~ $ _
>
> You can have multiple names resolving to the same IP address, but just
> one PTR record mapping that address back to a name.
It was pointed out to me in private that, of course, you can have
multiple PTR records mapping one address to different names. My bad.
However, since oftentimes (colocation scenarios for instance) forward
and reverse zone have different maintainers, it's some hassle to keep
the reverse zone in sync with the forward zone. Thus I have my doubts
that proper reverse mappings for every name will become common practice
anytime soon.
Anyway, I apologize again for the misinformation in my previous mail.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq