Bugtraq mailing list archives
Re: Has anyone implemented "double forward DNS"?
From: The Fungi <fungi () yuggoth org>
Date: Wed, 3 Sep 2008 03:42:32 +0000
On Sat, Aug 30, 2008 at 01:05:51AM +0100, Duncan Simpson wrote: [...]
Of course if the bad guy also controls the client's information about the reverse zone it still loses.
Under what circumstances do you expect the attacker to be able to spoof/poison responses for one query but not the other?
The major problem I can see is that there might that hosts in ISP's dynamically allocated address pools might all fail double forward DNS checks.
[...]
How about a the very common situation of name-based virtual hosting?
Do you propose a round-robin of multiple pointer resource records
for a single IP address, one for each domain hosted at that same
address? That could easily exceed a resolver's maximum response
length...
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi () yuggoth org); IRC(fungi () irc yuggoth org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi () yuggoth org);
MUD(fungi () katarsis mudpy org:6669); WWW(http://fungi.yuggoth.org/); }
Current thread:
- Has anyone implemented "double forward DNS"? Duncan Simpson (Sep 02)
- Re: Has anyone implemented "double forward DNS"? The Fungi (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar Wiechers (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Steven Bakker (Sep 05)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Jerry Franz (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Glynn Clements (Sep 03)
- Re: Has anyone implemented "double forward DNS"? terry white (Sep 03)