Reverse DNS RFCs and Recommendations

Jimmy Hess mysidia at gmail.com
Wed Nov 6 00:47:33 UTC 2013


On Tue, Nov 5, 2013 at 6:00 PM, Masataka Ohta <
mohta at necom830.hpcl.titech.ac.jp> wrote:

> Sander Steffann wrote:
> >>...
>
> You're linking things together that are completely orthogonal...
>
> You misunderstand very basic points on why forward and reverse
> DNS checking is useful.
>

Just to note... the main reason checking reverse DNS stays useful:  is
because that it is so hard to change in many cases.

Specifically:  if a server at some IP address X is under the control of a
spammer;   and rDNS is not setup,  or  rDNS  points to some
 dynamic-looking hostname,

It will be difficult or not possible for the spammer to modify the RDNS of
the IP address, in many cases;  the RDNS is  most often managed by the ISP.

Or it may be in a DNS infrastructure running on separate networks, with
separate access credentials.


If RDNS were easy to change;  e.g. if you just needed to guess a password
to the server,  and get signing key information from a DHCP transaction;
 the spammer would just change it.


Delegating  "Secure RDNS update"   with prefix delegation  may in fact,
 make RDNS information so easy to publish,     that the spammers of the
world can do it,  after  compromising a router or  host on the victim
network,  and just  "Registering the better hostname in the DNS".



The update process may be "secure",  but there are new attack vectors.


The value of  even looking at RDNS,  let alone worrying about
Forward+Reverse DNS  agreement/confirmation   may not translate well to
IPv6.


--
-JH



More information about the NANOG mailing list