Reverse DNS RFCs and Recommendations

Masataka Ohta mohta at
Wed Nov 6 00:00:34 UTC 2013

Sander Steffann wrote:

>> Also remember that this thread is on secure rDNS by the ISP,
>> which means you can't expect the ISP operate rDNS very securely
>> even though the ISP operate rest of networking not very securely.
> You're linking things together that are completely orthogonal...

You misunderstand very basic points on why forward and reverse
DNS checking is useful.

If an attacker can snoop DHCP reply packet to a victim's CPE, the
attacker can snoop any packet to a victim's server, which is
already bad.

Worse, the attacker can override a connection to the server by
forging reply packets as if they are returned by the legitimate
server with correct TCP sequence numbers etc, which is especially
effective if combined with DOS attack to the legitimate server.

Thus, there is no point to make forward and reverse DNS secure.

That is, Mark's security model is broken only to introduce
obscurity with worse security.

						Masataka Ohta


If the server and its clients share some secret for mutual
authentication as protection against snooping, there is no
point to make forward and reverse DNS secure.

More information about the NANOG mailing list