Bugtraq mailing list archives
Re: Has anyone implemented "double forward DNS"?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 4 Sep 2008 15:34:16 +0200
On 2008-09-03 Ansgar Wiechers wrote:
On 2008-08-30 Duncan Simpson wrote:Double reverse DNS, which checks the name found using reverse DNS matches the IP adrdess enquired about is now common. I was wondering wether about has applied the same technique to forward DNS queries too. The idea here is that a client that finds www.example.com is 192.168.3.42 does not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and checks for a PTR record saying www.example.com. If one is not found then the result is disinformation and should not be used.Wrong. cobalt@chrome:~ $ host www.planetcobalt.net www.planetcobalt.net CNAME chrome.planetcobalt.net chrome.planetcobalt.net CNAME planetcobalt.net planetcobalt.net A 217.10.9.49 cobalt@chrome:~ $ host 49.9.10.217.in-addr.arpa 49.9.10.217.in-addr.arpa PTR mail.planetcobalt.net cobalt@chrome:~ $ host mail.planetcobalt.net mail.planetcobalt.net A 217.10.9.49 cobalt@chrome:~ $ _ You can have multiple names resolving to the same IP address, but just one PTR record mapping that address back to a name.
It was pointed out to me in private that, of course, you can have multiple PTR records mapping one address to different names. My bad. However, since oftentimes (colocation scenarios for instance) forward and reverse zone have different maintainers, it's some hassle to keep the reverse zone in sync with the forward zone. Thus I have my doubts that proper reverse mappings for every name will become common practice anytime soon. Anyway, I apologize again for the misinformation in my previous mail. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Has anyone implemented "double forward DNS"? Duncan Simpson (Sep 02)
- Re: Has anyone implemented "double forward DNS"? The Fungi (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar Wiechers (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Steven Bakker (Sep 05)
- Re: Has anyone implemented "double forward DNS"? Ansgar -59cobalt- Wiechers (Sep 04)
- Re: Has anyone implemented "double forward DNS"? Jerry Franz (Sep 03)
- Re: Has anyone implemented "double forward DNS"? Glynn Clements (Sep 03)
- Re: Has anyone implemented "double forward DNS"? terry white (Sep 03)