Duncan Simpson wrote: > Double reverse DNS, which checks the name found using reverse DNS matches the > IP adrdess enquired about is now common. I was wondering wether about has > applied the same technique to forward DNS queries too. > > The idea here is that a client that finds www.example.com is 192.168.3.42 does > not trist this infiormation. Instead it looks up 42.3.168.192.in-addr.arpa and > checks for a PTR record saying www.example.com. If one is not found then the > result is disinformation and should not be used. Of course if the bad guy also > controls the client's information about the reverse zone it still loses. > > The major problem I can see is that there might that hosts in ISP's > dynamically allocated address pools might all fail double forward DNS checks. > OTOH if you were expecting your bank or a CA's server that might count as a > feature :-) The major problem I can see is that it's not at all uncommon to have dozens or even hundreds of hostnames all resolve to a single IP address belonging to a shared server. Requesting a PTR record for that IP address typically isn't going to give you the hostname you started with. -- Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx>
