Performance Issues - PTR Records

Jeroen Massar jeroen at unfix.org
Tue Nov 8 14:25:04 UTC 2011


On 2011-11-08 13:27 , Mark Andrews wrote:
> In message <4EB90EF2.3030100 at unfix.org>, Jeroen Massar writes:
>> On 2011-11-08 12:05 , Mark Andrews wrote:
>>> In message <4EB8F028.8040607 at dds.nl>, Seth Mos writes:
>> [..]
>>> Sounds like FUD.  Who has trusted the contents of a PTR record in the
>>> last 2 decades?
>>
>> Lots of tools (read: SSH, Spam-checks, oh and IRCd's ;) trust PTR, but
>> only if the reverse => forward => reverse. And you don't want to know
>> how many silly people enable the "if user comes from .in they must be
>> from Indonesia^WIndia thus block them" Apache option as recently
>> mentioned on this very thread.
> 
> They arn't trusting the reverse record.  They are trusting the forward
> record to verify the reverse record. They know that the reverse record
> is untrustworthy as the owner of the reverse zone can put whatever they
> want there without spoofing anything.

Of course that is the case. The PTR itself is useless, but in combo with
checking it with the forward it is a very valuable resource.

(Add DNSSEC to the mix and you are even sure that nobody spoofed it on
the wire for you ;)

>> Also, note that your precious operating system will likely store the
>> PTR, sometimes even without doing the reverse->forward->reverse check.
> 
>> As such, you set up a PTR + Forward properly for a host, try to 'hack' a
>> box by password guessing, the log entries will only have the PTR
>> recorded, and you just drop the PTR+Forward from DNS (as they are under
>> your control) the admin comes in, sees all those nice hosts in their
>> logs but as it is gone from DNS will never ever find you. This
>> especially goes for 'who' (utmp) which makes that mistake. Fortunately
>> SSH at least logs both IP + hostname, the more info the better.
> 
> Who trusts logs of names without actual addresses?   No one sane
> does.

Well, only one decade back some people from this very list mentioned
that to a certain OS that is used quite a lot by a lot of people:

http://www.freebsd.org/cgi/query-pr.cgi?pr=22595

And today that is still the case:
http://www.freebsd.org/cgi/man.cgi?query=utmp&sektion=5

Note there is just ut_host there is no address being stored, I hope you
yourself btw don't use any FreeBSD based devices as otherwise that
little attempt at an insult goes for you too ;)

>> That said though the PTR->forward->PTR check is a proper check and a
>> really great way to figure out if the source SMTP host was actually set
>> up with at least some admin doing it the right way. If they can't be
>> bothered to set that up, why should you bother to accept that mail, or a
>> better choice, just score it a bit negatively at least.
> 
> Which only works as a filter because ISP's decided to prevent home
> users from putting valid PTR records in the DNS for their own
> machines.  It has nothing to do with clue or knowlege.  

I don't think ISPs 'decide' to not let users set up reverse DNS, it is
generally a 'feature' for which they can ask more moneyz.

If ISPs would allow it (which I am for btw) then they only pass the test
anyway if they can properly setup reverse->forward->reverse.
Which is likely the case anyway for quite some ISPs who populate
reverses with a matching forward&reverse based on the IP.

Greets,
 Jeroen




More information about the NANOG mailing list