[48845] in North American Network Operators' Group
Re: ATTBI refuses to do reverse DNS?
daemon@ATHENA.MIT.EDU (David Schwartz)
Tue Jun 18 16:48:51 2002
From: David Schwartz <davids@webmaster.com>
To: <woods@weird.com)>, Daniel Senie <dts@senie.com>
Cc: North America Network Operators Group Mailing List <nanog@merit.edu>
Date: Tue, 18 Jun 2002 13:48:22 -0700
In-Reply-To: <20020618195413.7DEB5AC@proven.weird.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 18 Jun 2002 15:54:13 -0400 (EDT), Greg A. Woods wrote:
>[ On Tuesday, June 18, 2002 at 14:51:16 (-0400), Daniel Senie=
wrote: ]
>>Subject: Re: ATTBI refuses to do reverse DNS?
>>INADDR is a really good idea for network operators to be using,=
and a
>>really BAD idea for server operators to use as a security=
mechanism. Fix
>>your server to be less anal.
>Excuse me? It's _still_ all the security an Internet DNS client=
has!
>
>When a hostname is important, for whatever reasons, an=
application MUST
>confirm the consistency of forward and reverse DNS.
=09Absolutely. If you can't confirm the hostname forwards and=
backwards, don't
trust it at all. If you can confirm it both ways, you can put=
some small
amount of trust in it. But the difference between the value in=
these two
cases is very small.
>Unfortunately this most recent revision of your draft contains=
a
>significant and "dangerous" flaw -- it confuses application=
security
>checks with DNS consistency checks. Indeed applications should=
not use
>the DNS for authentication or for authorisation. However if any=
trust
>is put in the hostname used by a client, for any purpose=
whatsoever,
>(for audit logs, etc.) then full consistency checks of the DNS=
for that
>hostname _MUST_ be done! DNS spoofing, even just by accident,=
is just
>too easy and too common (and yes, it really does happen by=
accident by
>way of cache pollution, still in this day and age!).
=09So if you can't confirm the hostname, don't trust it. Since you=
can't trust
it even if you can confirm it, it doesn't make much difference.=
If you need
the maximum security DNS can possibly give you, keep the IP,=
time, hostname,
and results of reverse DNS.
=09DS
