nanog mailing list archives
Re: Reverse DNS RFCs and Recommendations
From: Masataka Ohta <mohta () necom830 hpcl titech ac jp>
Date: Wed, 06 Nov 2013 09:00:34 +0900
Sander Steffann wrote:
Also remember that this thread is on secure rDNS by the ISP, which means you can't expect the ISP operate rDNS very securely even though the ISP operate rest of networking not very securely.You're linking things together that are completely orthogonal...
You misunderstand very basic points on why forward and reverse DNS checking is useful. If an attacker can snoop DHCP reply packet to a victim's CPE, the attacker can snoop any packet to a victim's server, which is already bad. Worse, the attacker can override a connection to the server by forging reply packets as if they are returned by the legitimate server with correct TCP sequence numbers etc, which is especially effective if combined with DOS attack to the legitimate server. Thus, there is no point to make forward and reverse DNS secure. That is, Mark's security model is broken only to introduce obscurity with worse security. Masataka Ohta PS If the server and its clients share some secret for mutual authentication as protection against snooping, there is no point to make forward and reverse DNS secure.
Current thread:
- Re: Reverse DNS RFCs and Recommendations, (continued)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- RE: Reverse DNS RFCs and Recommendations Alex Rubenstein (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Jimmy Hess (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 04)
- Re: Reverse DNS RFCs and Recommendations Lee Howard (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 05)