Re: ATTBI refuses to do reverse DNS?

[David Schwartz <davids () webmaster com>]

On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:

> [ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
> > Subject: Re: ATTBI refuses to do reverse DNS?

> > INADDR is a really good idea for network operators to be using, and a
> > really BAD idea for server operators to use as a security mechanism. Fix
> > your server to be less anal.

> Excuse me?  It's _still_ all the security an Internet DNS client has!
>
> When a hostname is important, for whatever reasons, an application MUST
> confirm the consistency of forward and reverse DNS.

        Absolutely. If you can't confirm the hostname forwards and backwards, don't
trust it at all. If you can confirm it both ways, you can put some small
amount of trust in it. But the difference between the value in these two
cases is very small.

> Unfortunately this most recent revision of your draft contains a
> significant and "dangerous" flaw -- it confuses application security
> checks with DNS consistency checks.  Indeed applications should not use
> the DNS for authentication or for authorisation.  However if any trust
> is put in the hostname used by a client, for any purpose whatsoever,
> (for audit logs, etc.) then full consistency checks of the DNS for that
> hostname _MUST_ be done!  DNS spoofing, even just by accident, is just
> too easy and too common (and yes, it really does happen by accident by
> way of cache pollution, still in this day and age!).

        So if you can't confirm the hostname, don't trust it. Since you can't trust
it even if you can confirm it, it doesn't make much difference. If you need
the maximum security DNS can possibly give you, keep the IP, time, hostname,
and results of reverse DNS.

        DS