nanog mailing list archives
Re: ATTBI refuses to do reverse DNS?
From: David Schwartz <davids () webmaster com>
Date: Tue, 18 Jun 2002 13:48:22 -0700
On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:
[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]Subject: Re: ATTBI refuses to do reverse DNS?
INADDR is a really good idea for network operators to be using, and a really BAD idea for server operators to use as a security mechanism. Fix your server to be less anal.
Excuse me? It's _still_ all the security an Internet DNS client has! When a hostname is important, for whatever reasons, an application MUST confirm the consistency of forward and reverse DNS.
Absolutely. If you can't confirm the hostname forwards and backwards, don't trust it at all. If you can confirm it both ways, you can put some small amount of trust in it. But the difference between the value in these two cases is very small.
Unfortunately this most recent revision of your draft contains a significant and "dangerous" flaw -- it confuses application security checks with DNS consistency checks. Indeed applications should not use the DNS for authentication or for authorisation. However if any trust is put in the hostname used by a client, for any purpose whatsoever, (for audit logs, etc.) then full consistency checks of the DNS for that hostname _MUST_ be done! DNS spoofing, even just by accident, is just too easy and too common (and yes, it really does happen by accident by way of cache pollution, still in this day and age!).
So if you can't confirm the hostname, don't trust it. Since you can't trust it even if you can confirm it, it doesn't make much difference. If you need the maximum security DNS can possibly give you, keep the IP, time, hostname, and results of reverse DNS. DS
Current thread:
- ATTBI refuses to do reverse DNS? Lou Katz (Jun 18)
- Re: ATTBI refuses to do reverse DNS? brett watson (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Daniel Senie (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Greg A. Woods (Jun 18)
- Re: ATTBI refuses to do reverse DNS? David Schwartz (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Stephen Griffin (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Daniel Senie (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Greg A. Woods (Jun 18)
- Re: ATTBI refuses to do reverse DNS? Chris Woodfield (Jun 19)
- Re: ATTBI refuses to do reverse DNS? Greg A. Woods (Jun 19)
- Cable as Common Carrier (was Re: ATTBI refuses to do reverse DNS?) Robert A. Hayden (Jun 19)
- Re: ATTBI refuses to do reverse DNS? Chris Woodfield (Jun 19)
- Re: ATTBI refuses to do reverse DNS? Daniel Senie (Jun 19)
- Re: ATTBI refuses to do reverse DNS? Frank P. Tower (Jun 19)
- Re: ATTBI refuses to do reverse DNS? Greg A. Woods (Jun 18)
- RE: ATTBI refuses to do reverse DNS? Jim Popovitch (Jun 19)