[166724] in North American Network Operators' Group
Re: Reverse DNS RFCs and Recommendations
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Nov 5 20:38:17 2013
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 06 Nov 2013 09:00:34 +0900."
<527986A2.6010806@necom830.hpcl.titech.ac.jp>
Date: Wed, 06 Nov 2013 12:37:21 +1100
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <527986A2.6010806@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Sander Steffann wrote:
>
> >> Also remember that this thread is on secure rDNS by the ISP,
> >> which means you can't expect the ISP operate rDNS very securely
> >> even though the ISP operate rest of networking not very securely.
> >
> > You're linking things together that are completely orthogonal...
>
> You misunderstand very basic points on why forward and reverse
> DNS checking is useful.
>
> If an attacker can snoop DHCP reply packet to a victim's CPE, the
> attacker can snoop any packet to a victim's server, which is
> already bad.
The DHCP reply packet is special as is is broadcasted. The
unicast traffic isn't seen.
> Worse, the attacker can override a connection to the server by
> forging reply packets as if they are returned by the legitimate
> server with correct TCP sequence numbers etc, which is especially
> effective if combined with DOS attack to the legitimate server.
>
>
> Thus, there is no point to make forward and reverse DNS secure.
>
> That is, Mark's security model is broken only to introduce
> obscurity with worse security.
This is a about adding a delegation into the DNS securely so only
the machine that the prefix is delegated to and the ISP can update
it. There are a number of reasons to want to do this securely from
both the ISP side and the customer side regardless of whether you
secure the DNS responses themselves.
> Masataka Ohta
>
> PS
>
> If the server and its clients share some secret for mutual
> authentication as protection against snooping, there is no
> point to make forward and reverse DNS secure.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
