Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ATTBI refuses to do reverse DNS?

  • From: David Schwartz
  • Date: Tue Jun 18 16:50:34 2002


On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:

>[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
>>Subject: Re: ATTBI refuses to do reverse DNS?

>>INADDR is a really good idea for network operators to be using, and a
>>really BAD idea for server operators to use as a security mechanism. Fix
>>your server to be less anal.

>Excuse me?  It's _still_ all the security an Internet DNS client has!
>
>When a hostname is important, for whatever reasons, an application MUST
>confirm the consistency of forward and reverse DNS.

	Absolutely. If you can't confirm the hostname forwards and backwards, don't 
trust it at all. If you can confirm it both ways, you can put some small 
amount of trust in it. But the difference between the value in these two 
cases is very small.

>Unfortunately this most recent revision of your draft contains a
>significant and "dangerous" flaw -- it confuses application security
>checks with DNS consistency checks.  Indeed applications should not use
>the DNS for authentication or for authorisation.  However if any trust
>is put in the hostname used by a client, for any purpose whatsoever,
>(for audit logs, etc.) then full consistency checks of the DNS for that
>hostname _MUST_ be done!  DNS spoofing, even just by accident, is just
>too easy and too common (and yes, it really does happen by accident by
>way of cache pollution, still in this day and age!).

	So if you can't confirm the hostname, don't trust it. Since you can't trust 
it even if you can confirm it, it doesn't make much difference. If you need 
the maximum security DNS can possibly give you, keep the IP, time, hostname, 
and results of reverse DNS.

	DS






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.