ATTBI refuses to do reverse DNS?

David Schwartz davids at webmaster.com
Tue Jun 18 20:48:22 UTC 2002



On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:

>[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie wrote: ]
>>Subject: Re: ATTBI refuses to do reverse DNS?

>>INADDR is a really good idea for network operators to be using, and a
>>really BAD idea for server operators to use as a security mechanism. Fix
>>your server to be less anal.

>Excuse me?  It's _still_ all the security an Internet DNS client has!
>
>When a hostname is important, for whatever reasons, an application MUST
>confirm the consistency of forward and reverse DNS.

	Absolutely. If you can't confirm the hostname forwards and backwards, don't 
trust it at all. If you can confirm it both ways, you can put some small 
amount of trust in it. But the difference between the value in these two 
cases is very small.

>Unfortunately this most recent revision of your draft contains a
>significant and "dangerous" flaw -- it confuses application security
>checks with DNS consistency checks.  Indeed applications should not use
>the DNS for authentication or for authorisation.  However if any trust
>is put in the hostname used by a client, for any purpose whatsoever,
>(for audit logs, etc.) then full consistency checks of the DNS for that
>hostname _MUST_ be done!  DNS spoofing, even just by accident, is just
>too easy and too common (and yes, it really does happen by accident by
>way of cache pollution, still in this day and age!).

	So if you can't confirm the hostname, don't trust it. Since you can't trust 
it even if you can confirm it, it doesn't make much difference. If you need 
the maximum security DNS can possibly give you, keep the IP, time, hostname, 
and results of reverse DNS.

	DS





More information about the NANOG mailing list