nanog mailing list archives
Re: Reverse DNS RFCs and Recommendations
From: Mark Andrews <marka () isc org>
Date: Wed, 06 Nov 2013 12:37:21 +1100
In message <527986A2.6010806 () necom830 hpcl titech ac jp>, Masataka Ohta writes:
Sander Steffann wrote:Also remember that this thread is on secure rDNS by the ISP, which means you can't expect the ISP operate rDNS very securely even though the ISP operate rest of networking not very securely.You're linking things together that are completely orthogonal...You misunderstand very basic points on why forward and reverse DNS checking is useful. If an attacker can snoop DHCP reply packet to a victim's CPE, the attacker can snoop any packet to a victim's server, which is already bad.
The DHCP reply packet is special as is is broadcasted. The unicast traffic isn't seen.
Worse, the attacker can override a connection to the server by forging reply packets as if they are returned by the legitimate server with correct TCP sequence numbers etc, which is especially effective if combined with DOS attack to the legitimate server. Thus, there is no point to make forward and reverse DNS secure. That is, Mark's security model is broken only to introduce obscurity with worse security.
This is a about adding a delegation into the DNS securely so only the machine that the prefix is delegated to and the ISP can update it. There are a number of reasons to want to do this securely from both the ISP side and the customer side regardless of whether you secure the DNS responses themselves.
Masataka Ohta PS If the server and its clients share some secret for mutual authentication as protection against snooping, there is no point to make forward and reverse DNS secure.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Reverse DNS RFCs and Recommendations, (continued)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 01)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Sander Steffann (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Jimmy Hess (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Masataka Ohta (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 02)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 04)
- Re: Reverse DNS RFCs and Recommendations Lee Howard (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Mark Andrews (Nov 05)
- Re: Reverse DNS RFCs and Recommendations Livingood, Jason (Nov 06)
- Re: Reverse DNS RFCs and Recommendations Cutler James R (Nov 06)